US11782610B2 - Write and compare only data storage - Google Patents

Write and compare only data storage Download PDF

Info

Publication number
US11782610B2
US11782610B2 US16/777,722 US202016777722A US11782610B2 US 11782610 B2 US11782610 B2 US 11782610B2 US 202016777722 A US202016777722 A US 202016777722A US 11782610 B2 US11782610 B2 US 11782610B2
Authority
US
United States
Prior art keywords
write
authentication data
compare
data set
partition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US16/777,722
Other versions
US20210240363A1 (en
Inventor
Christopher B. Tumblin
Jess LACY
Michael Barrell
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Seagate Technology LLC
Original Assignee
Seagate Technology LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Seagate Technology LLC filed Critical Seagate Technology LLC
Priority to US16/777,722 priority Critical patent/US11782610B2/en
Assigned to SEAGATE TECHNOLOGY LLC reassignment SEAGATE TECHNOLOGY LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LACY, JESS, BARRELL, MICHAEL, TUMBLIN, CHRISTOPHER B.
Publication of US20210240363A1 publication Critical patent/US20210240363A1/en
Application granted granted Critical
Publication of US11782610B2 publication Critical patent/US11782610B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • G06F3/0622Securing storage systems in relation to access
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0629Configuration or reconfiguration of storage systems
    • G06F3/0637Permissions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0646Horizontal data movement in storage systems, i.e. moving data in between storage devices or systems
    • G06F3/065Replication mechanisms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0655Vertical data movement, i.e. input-output transfer; data movement between one or more hosts and one or more storage devices
    • G06F3/0659Command handling arrangements, e.g. command buffers, queues, command scheduling
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/067Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Definitions

  • Data security refers generally to the protection of digital data, such as that stored within one or more databases within an organization's data storage network.
  • authorized black hat users exploit their access to the organization's data storage network to copy data for improper use.
  • unauthorized black hat users gain access to the organization's data storage network via various cyberattacks and also copy data from the organization's data storage network. Both authorized and unauthorized black hat users may then later analyze the copied data to obtain authentication data of other users.
  • One mechanism unauthorized or authorized black hat users use to gain access is theft of hashed authentication data. More specifically, if a black hat user is able to identify and copy hashed authentication data from the organization's data storage network, the black hat user may later run a variety of hash cracking techniques to recover authentication data corresponding to one or more other users. In various scenarios, the hash cracking techniques can be performed after being disconnected from the organization's data storage network and with the benefit of as much time as needed. The black hat user may then use the recovered authentication data corresponding to one or more other users to conduct identity theft of those users, often as a mechanism to obtain a financial advantage (e.g., money, credit and/or other benefits) in the name of other users.
  • a financial advantage e.g., money, credit and/or other benefits
  • Implementations described and claimed herein address the foregoing problems by providing a method of operating an authentication service within a data storage network.
  • the method comprises writing a verified authentication data set to a write-and-compare-only partition of a data storage drive, querying the write-and-compare-only partition for a match between the verified authentication data set and a to-be-verified authentication data set, receiving a match confirmation from the write-and-compare-only partition that the to-be-verified authentication data set matches the verified authentication data set, and authorizing access responsive to receiving the match confirmation from the write-and-compare-only partition of the data storage drive.
  • Implementations described and claimed herein address the foregoing problems by further providing a data storage network comprising a data storage drive storing verified authentication data set in a write-and-compare-only partition of the data storage drive and a network server.
  • the network server queries the write-and-compare-only partition for a match between the verified authentication data set and a to-be-verified authentication data set, receives a match confirmation from the write-and-compare-only partition that the to-be-verified authentication data set matches the verified authentication data set, and authorizes access responsive to receiving the match confirmation from the write-and-compare-only volume of the data storage drive.
  • FIG. 1 illustrates an example wide area network system diagram including a write-and-compare-only partition of a data storage drive.
  • FIG. 2 illustrates an example local area network system diagram including a write-and-compare-only partition of a data storage drive.
  • FIG. 3 illustrates example operations for operating a security client to execute user authentication using a write-and-compare-only partition of a data storage drive.
  • FIG. 4 illustrates an example system diagram of a computer system suitable for implementing aspects of a security client executing user authentication using a write-and-compare-only partition of a data storage drive.
  • the security client retrieves hashed authentication data, hashes the provided to-be-verified authentication information, and compares the hashed to-be-verified authentication information against the hashed verified authentication data to determine if the user has provided correct authentication information. If so, the security client grants access to the user. If not, the security client denies access to the user.
  • the presently disclosed technology stores the hash lists in a write-and-compare-only volume (or partition) of a data storage drive. Instead of retrieving data from the hash list(s) to authenticate users, the security client queries the write-and-compare-only volume as to whether user-provided to-be-verified authentication information matches an un-hashed version of verified authentication information. If the to-be-verified authentication information matches the verified authentication information stored in the write-and-compare-only volume, the data storage drive sends a match confirmation to the security client, which in turn grants the user access.
  • the data storage drive sends a match error to the security client, which in turn denies the user access.
  • the hashed authentication data are never read from the write-and-compare-only volume of the data storage drive, and thus not able to be copied by a black hat user, even if the black hat user obtains access to the data storage drive.
  • verified authentication information is stored in an un-hashed state.
  • the presently disclosed technology stores the authentication information in a write-and-compare-only volume (or partition) of a data storage drive. Instead of retrieving the authentication information, the security client queries the write-and-compare-only volume as to whether user-provided to-be-verified authentication information matches the verified authentication information. If the to-be-verified authentication information matches the verified authentication information stored in the write-and-compare-only volume, the data storage drive sends a match confirmation to the security client, which in turn grants the user access.
  • the data storage drive sends a match error to the security client, which in turn denies the user access.
  • the verified authentication information is never read from the write-and-compare-only volume of the data storage drive, and thus not able to be copied by a black hat user, even if the black hat user obtains access to the data storage drive.
  • Verified authentication information is used herein to mean any data that is stored in the write-and-compare-only volume and can be used for write-and-compare operations to determine a match.
  • To-be-verified authentication information is used herein to mean any data that is used to compare to the verified authentication information to determine if a match is present, and in some implementations, and grant access if a successful match is made.
  • the presently disclosed technology could be used along with drive encryption technology that would additionally protect in the scenario where a very simple password is used (e.g., password123). Such a password may be guessed by a black hat user in few attempts, but the encryption key would be required to obtain access.
  • FIG. 1 illustrates an example network 100 system diagram including a write-and-compare-only partition 102 of a data storage drive 104 .
  • the network 100 is illustrated as a combination of a wide area network (WAN) and a data storage local area network (LAN) 106 , however, the presently disclosed technology could be implemented exclusively on a WAN or LAN.
  • WAN wide area network
  • LAN data storage local area network
  • Network server 108 manages access to a data storage enclosure 110 , which includes an array of data storage drives (e.g., storage drives 104 , 112 , 116 ).
  • the storage drives 104 , 112 , 116 store data of behalf of one or more web services (e.g., web service 113 ) and/or one or more users (e.g., user 114 ) and may be accessible by the web service(s) and user(s) via the Internet 118 .
  • the storage drives 104 , 112 , 116 individually, or an enclosure thereof containing one or more storage drive such as the storage drives 104 , 112 , 116 may be referred to herein as a data storage device.
  • the presently disclosed technology may be adopted at the storage drive level, enclosure level, and/or network level, and including various combinations thereof.
  • Security client 120 manages access to the data storage network 106 provided to the web service(s) and user(s). More specifically, data stored on the storage drives 104 , 112 , 116 belongs to and/or is only accessible to certain web service(s) and user(s). Further, some of the data stored in the write-and-compare-only partition 102 of the storage drive 104 includes user authentication data, or hash lists thereof. The user authentication data is generally used to authenticate a user requesting access to data on the storage drives 104 , 112 , 116 , access to a web service(s), and/or other access to data available over the Internet 118 but limited to certain users. While implementations of the write-and-compare-only partition 102 described in detail herein store user authentication data, one of ordinary skill in the art will recognize that other forms of data may also be stored within and authenticated using the write-and-compare-only partition 102 .
  • the user authentication data includes a username or user identification paired with an alphanumeric password or passcode.
  • the password or passcode may be one or more of a simple string of characters, single-use passcode, and a time-synchronized one-time passcode.
  • the user authentication data may include a username paired with a digitized user-specific biometric identifier (e.g., a fingerprint, iris scan, facial scan, etc.).
  • the authentication data is associated with an entity (e.g., a business entity) rather than a user.
  • the user authentication data may be stored in a format commonly associated with a key-value store. Further, the user authentication data (e.g., that stored in a key-value format) may include an identifier indicating an intended storage location within the write-and-compare-only partition 102 of the data storage drive 104 .
  • At least the storage drive 104 includes the write-and-compare-only partition 102 of its data storage, which is distinct from other partitions (or volumes) that may be present within the storage drive 104 (e.g., read-and-write partition 122 and read-only partition 124 ).
  • the write-and-compare-only partition 102 prohibits the data stored therein from being read by the network server 108 , or any other client connected to the data storage network 106 , including both local clients and remote clients connected via the Internet 118 .
  • This is explicitly distinct from the read-and-write partition 122 that permits data to be read from and written thereto depending on the access level granted to the network server 108 , or any other client connected to the data storage network 106 .
  • the data stored in the write-and-compare-only partition 102 is formatted in a manner only capable of being read by drive firmware and/or hardware 126 .
  • drive firmware and/or hardware 126 is instead located at the data storage enclosure 110 level and capable of accessing write-and-compare-only partitions on any or all of storage drives 104 , 112 , 116 .
  • the write-and-compare-only partition 102 , read-and-write partition 122 , read-only partition 124 are discussed above in terms of specific partitioned areas of the storage volume of the storage drive 104 for convenience.
  • the data between partitions 102 , 122 , 124 may be distributed throughout the storage drive 104 with a specific identifier indicating the access state (e.g., write-and-compare-only, read-and-write, or read-only) of each block or other grouping of data.
  • any storage drive within the data storage enclosure 110 that stores hashed authentication data may include the aforementioned partitions 102 , 122 , 124 , particularly the partition 102 to store the hashed user authentication data.
  • network server 108 contains a hashing program that executes upon request from the security client 120 , or by the security client 120 itself.
  • the user authentication data may be stored in an un-hashed state. If the user authentication data is stored in an un-hashed state, the hashing program may not be required.
  • the drive firmware and/or hardware 126 includes software in addition to or in lieu of the firmware executing on the storage drive 104 .
  • the number of connected user terminals may vary from one to many, each of which may be connected to and disconnected from the Internet 118 over time.
  • the data storage enclosure 110 is utilized as a central data storage space for the data storage network 106 , the user terminals 114 , 117 , and/or the web service 113 .
  • the network server 108 may also permit data access between user terminals within the storage network 106 in a similar manner to that described below referencing user terminals 114 , 117 connected to the storage network 106 via the Internet 118 .
  • Each data storage enclosure may include one or more storage drives. Quantity (i.e., one or more) and type (e.g., hard disk drives (HDDs), solid state drives (SSDs), flash memory, main memory, hybrid drives, tape drives, etc.) of individual storage drives may vary between data storage enclosures and within individual data storage enclosures.
  • the data storage network 106 is set up as a cloud storage facility for storing data corresponding to numerous users, web services, and other entities that may access the data storage network 106 via the Internet 118 .
  • user 114 creates a username and password (collectively, user authentication data) in conjunction with establishing a Microsoft® Office 365® account (i.e., web service 113 ). If available and approved by Office 365®, the user authentication data now assigned to user 114 is transmitted to the data storage network 106 for storage on behalf of Office 365® and the user 114 .
  • the approved user authentication data may also be referred to herein as a verified authentication data set.
  • the verified authentication data set includes one or both of a key portion and a value portion of the key.
  • the verified authentication data set is received by the network server 108 , which includes an indicator that the received data is user authentication data.
  • the security client 120 executing on the network server 108 then directs the verified authentication data set to be written to the write-and-compare-only partition 102 of the storage drive 104 .
  • the verified authentication data is combined and stored together in the write-and-compare-only partition 102 .
  • individual portions of the verified authentication data are separated, where a key portion of the key value (e.g., the username) is stored in traditional memory (or the read-and-write partition 122 ) and a value portion of the key value (e.g., the password) is stored in the write-and-compare-only partition 102 .
  • a location for the key value stored in the write-and-compare-only partition 102 is also stored with the key portion in the traditional memory.
  • the password stored in the write-and-compare-only partition 102 is queried using the location value stored with the username in traditional memory, for example.
  • Office 365® When the user 114 later returns and desires access to their Office 365® account, the user 114 enters their username and password into a web browser associated with Office 365®. Office 365® then submits the received username and password to the data storage network 106 for verification.
  • the username and password submitted for verification may also be referred to herein as a to-be-verified authentication data set.
  • the to-be-verified authentication data set is received by the network server 108 , which includes an indicator that the received data is user authentication data to-be-verified.
  • the security client 120 executing on the network server 108 queries the write-and-compare-only partition 102 of the storage drive 104 as to whether the to-be-verified authentication data set matches the verified authentication data set. If so, the storage drive 104 returns a match confirmation to the security client 120 .
  • the security client 120 then directs Office 365® to grant the user access to their Office 365® account.
  • the storage drive 104 If the to-be-verified authentication data set does not match the verified authentication data set, the storage drive 104 returns a match error to the security client 120 .
  • the security client 120 then directs Office 365® to deny the user 114 access to their Office 365® account.
  • the user may then be prompted to retry the verification process by reentering their username and password.
  • the user's username and password is not read from the write-and-compare-only partition 102 of the storage drive 104 to perform the aforementioned verification process and consequently, a copy of the user's username and password is not passed to or received by the network server 108 .
  • the user's username and password may only be passed down from the Internet 118 to the data storage network 106 and ultimately the data storage enclosure 110 for storage, but not retrieved upward to the Internet 118 from the data storage enclosure 110 . Only a match confirmation or a match error (as appropriate) is returned from the storage drive 104 to the security client 120 .
  • only a portion (i.e., a fraction of the total length) of the to-be-verified authentication data set is used to obtain a match confirmation when compared with the verified authentication data set.
  • This partial match may be acceptable when the security risk is relatively low, or the verified authentication data set is particularly lengthy and only a partial match is required to obtain the desired security level.
  • a full match i.e., the to-be-verified authentication data set has an equal length to the verified authentication data set
  • Requiring a minimum comparison size to perform user authentication prevents a black hat user from attempting to determine the user authentication data set a very small data set at a time (e.g., all the way down to one byte at a time) through a brute force attack on the data storage network 106 .
  • user 117 is a black hat user attempting to gain access to the Office 365® account associated with the user 114 .
  • the black hat user 117 may first attempt to gain access to the data storage network 106 to copy data from the data storage enclosure 110 that may contain user authentication data. Even if the black hat user 117 is successful in gaining access to the data storage network 106 , as the user authentication data is stored in the write-and-compare-only partition 102 , the black hat user 117 will be unsuccessful in copying that data from the storage drive 104 as the write-and-compare-only partition 102 is unreadable by design.
  • the black hat user 117 may next attempt to gain access to the Office 365® account associated with the user 114 .
  • the black hat user 117 does not have the user authentication data associated with the user 114 , the black hat user 117 is limited to guessing username/password combinations and submitting them to the security client 120 for the verification process. While the black hat user 117 may repeatedly submit potential username/password combinations to the security client 120 , a well-chosen username/password combination will be difficult for the black hat user 117 to guess. Additional measures may be implemented to further frustrate attempts by the black hat user 117 to gain access to the Office 365® account associated with the user 114 .
  • Additional measures may include one or more of: imposing a minimum time between queries (e.g., 1 millisecond), a maximum number of unsuccessful consecutive attempts, and requiting additional user authentication steps (e.g., security questions to confirm identity).
  • a minimum time between queries e.g. 1 millisecond
  • additional user authentication steps e.g., security questions to confirm identity.
  • An additional potential security measure pauses attempts (for a predetermined period or until some other security criteria or administrator permission is provided) after a predetermined number of incorrect attempts have been tried.
  • a still further potential security measure specifies that after a predetermined number of incorrect attempts, a notification could be provided to the user and/or a system administrator.
  • the verified authentication data set is hashed prior to being written to the write-and-compare-only partition 102 of the storage drive 104 (e.g., a 256-bit (32-byte) hash).
  • the security client 120 performs the hashing, while potentially, in other implementations the drive firmware and/or hardware 126 executing on the storage drive 104 performs the hashing. For example, usernames may be stored un-hashed, while corresponding passwords are hashed using a hashing program executing at the security client 120 or the drive firmware and/or hardware 126 .
  • the hashing program may be unknown beyond the data storage network 106 , the data storage enclosure 110 , or the storage drive 104 , depending on where within the data storage network 106 the hashing program is executed. Further, the to-be-verified authentication data set is also hashed by the security client 120 or the drive firmware and/or hardware 126 using the same hashing program prior to being compared to the verified authentication data set to determine whether there is a match.
  • FIG. 2 illustrates an example local area network system diagram 200 including a write-and-compare-only partition 202 of a data storage drive 204 .
  • data storage drive 204 is one of many data storage drives connected to network server 208 within the local area network.
  • the data storage drive 204 Upon physical connection to a corresponding data storage network (not shown, see e.g., data storage network 106 of FIG. 1 ), the data storage drive 204 requests data access to the data storage network via data connection request 228 .
  • server software 230 Upon detection of the presence of the storage drive 204 and/or receipt of the data connection request 228 , server software 230 establishes a data connection 232 with drive firmware and/or hardware 226 .
  • Security client 220 executes within the server software 230 running on the network server 208 .
  • the security client 220 and data connection 232 may be initiated concurrently or sequentially, but the security client 220 is running prior to authorizing the transfer of any data between the network server 208 and the storage drive 204 .
  • the data connection 232 may include read access, write access, and/or read/write access between the network server 208 and the storage drive 204 , depending on the network configuration settings, and discussed in detail below.
  • the network server 208 includes network storage 240 , which may serve as a buffer for data transfers to and from the storage drive 204 .
  • the storage drive 204 may include three data partitions; the write-and-compare-only partition 202 , a read-and-write partition 222 , and a read-only partition 224 .
  • the write-and-compare-only partition 202 permits data, particularly user authentication data, to be written to the storage drive 204 . However, once the data is written to the write-and-compare-only partition 202 , it is prohibited from being read by the network server 208 , or any other client connected thereto. This is illustrated by data transfer arrow 234 indicating data flow exclusively from network storage 240 to the write-and-compare-only partition 202 .
  • a return message from the write-and-compare-only partition 202 to the network storage 240 indicates that the data was successfully written to the write-and-compare-only partition 202 .
  • the read-and-write partition 222 permits data to be read from and written to the storage drive 204 depending on the access level granted to the network server 208 , or any other client connected thereto. This is illustrated by data transfer arrow 236 indicating bidirectional data flow between the network storage 240 and the read-and-write partition 222 .
  • the read-only partition 224 permits data to be read from, but not written to the storage drive 204 , also depending on the access level granted to the network server 208 , or any other client connected thereto. This is illustrated by data transfer arrow 238 indicating data flow exclusively from the read-only partition 224 to the network storage 240 .
  • the data stored in the write-and-compare-only partition 202 is formatted in a manner only capable of being read by the drive firmware and/or hardware 226 and cannot be transferred out of the storage drive 204 .
  • the write-and-compare-only partition 202 , read-and-write partition 222 , read-only partition 224 are discussed above in terms of specific partitioned areas of the storage volume of the storage drive 204 for convenience.
  • the data between partitions 202 , 222 , 224 may be distributed throughout the storage drive 204 with a specific identifier indicating the access state (e.g., write-and-compare-only, read-and-write, or read-only) of each block or other grouping of data.
  • the drive firmware and/or hardware 226 may be embedded within a secured portion of the storage drive 204 (e.g., the read-only partition 224 ) with limited communication and read/write access as compared to other partitions of the storage drive 204 (e.g., the read-and-write partition 222 ).
  • the drive firmware and/or hardware 226 may also be embedded on a separate storage medium within the storage drive 204 meant specifically for the drive firmware and/or hardware 226 and having limited communication and read/write access (e.g., on an application-specific integrated circuit (ASIC)).
  • the drive firmware is not readable and is located in a write-only section of the storage drive 204 that would only be overwritten using a firmware update mechanism that would have to pass internal checking before overwriting the firmware.
  • Network server 208 manages access to the storage drive 204 , which stores data on behalf of one or more web services (not shown, see e.g., web service 113 of FIG. 1 ) and one or more users (not shown, see e.g., user 114 of FIG. 1 ) and may be accessible by the web service(s) and user(s) via the Internet (not shown, see e.g., Internet 118 ). More specifically, data stored on the storage drive 204 belongs to and/or is only accessible to certain web service(s) and user(s). Further, some of the data stored in the write-and-compare-only partition 202 of the storage drive 204 includes a verified authentication data set 242 , or a hash list thereof. The verified authentication data set 242 is generally used to authenticate a user requesting access to data on the storage drive 204 , access to a web service(s), and/or other access to data available over the Internet but limited to specific users.
  • the verified authentication data set 242 is generally used to authenticate
  • the network server 208 contains a hashing program 244 that executes upon request from the security client 220 to hash the verified authentication data set 242 prior to being written in the write-and-compare-only partition 202 .
  • the hashing program 244 may also hash a to-be-verified authentication data set 246 prior to being compared to the verified authentication data set 242 for user authentication.
  • user authentication data if user authentication data is considered secure within the write-and-compare-only partition 202 , it may be stored as the verified authentication data set 242 in an un-hashed state. If the verified authentication data set 246 is stored in an un-hashed state, the hashing program 244 may not be required.
  • the drive firmware and/or hardware 226 includes software executing on the storage drive 204 .
  • a user creates a username and password (collectively, user authentication data) in conjunction with establishing a Microsoft® Office 365® account. If available and approved by Office 365®, the user authentication data now assigned to the user is transmitted to the network server 208 for storage on behalf of Office 365® and the user.
  • the approved user authentication data may also be referred to herein as the verified authentication data set 242 .
  • the verified authentication data set 242 is received by the network server 208 , which includes an indicator that the received data is user authentication data.
  • the network server 208 requests the authentication data (e.g., a username and a password), thus the network server 208 is already aware that the received data is user authentication data without a further indicator.
  • the security client 220 executing on the network server 208 then directs the verified authentication data set 242 to be written to the write-and-compare-only partition 202 of the storage drive 204 via the drive firmware and/or hardware 226 .
  • Office 365® When the user later returns and desires access to their Office 365® account, the user enters their username and password into a web browser associated with Office 365®. Office 365® then submits the received username and password to the network server 208 for verification.
  • the username and password submitted for verification may also be referred to herein as the to-be-verified authentication data set 246 .
  • the to-be-verified authentication data set 246 is received by the network server 208 , which may include an indicator that the received data is user authentication data to-be-verified.
  • the security client 220 executing on the network server 208 then directs the drive firmware and/or hardware 226 to query the write-and-compare-only partition 202 of the storage drive 204 as to whether the to-be-verified authentication data set 246 matches the verified authentication data set 242 . If so, the drive firmware and/or hardware 226 returns a match confirmation to the security client 220 . The security client 220 then directs Office 365® to grant the user access to their Office 365® account.
  • the drive firmware and/or hardware 226 returns a match error to the security client 220 .
  • the security client 220 then directs Office 365® to deny the user access to their Office 365® account.
  • the user may then be prompted to retry the verification process by reentering their username and password.
  • the user's username and password is not read from the write-and-compare-only partition 202 and sent outside of the storage drive 204 to perform the aforementioned verification process. Only a match confirmation or a match error (as appropriate) is returned from the storage drive 204 to the security client 220 .
  • a black hat user (see e.g., user 117 ) is attempting to gain access to the Office 365® account associated with the user.
  • the black hat user may first attempt to gain access to the storage drive 204 to copy data that may contain user authentication data. Even if the black hat user is successful in gaining access to the storage drive 204 , as the user authentication data is stored in the write-and-compare-only partition 202 , the black hat user will be unsuccessful in copying that data from the storage drive 204 .
  • the black hat user may next attempt to gain access to the Office 365® account associated with the user.
  • the black hat user does not have the authentication data associated with the user, the black hat user is limited to guessing username/password combinations and submitting them to the security client 220 for the verification process. While the black hat user may repeatedly submit potential username/password combinations to the security client 220 , a well-chosen username/password combination will be difficult for the black hat user to guess. Further, additional measures may be implemented to further frustrate attempts by the black hat user to gain access to the Office 365® account associated with the user, as described above.
  • the verified authentication data set 242 is hashed prior to being written to the write-and-compare-only partition 202 of the storage drive 204 .
  • the security client 220 performs the hashing using the hashing program 244 , while in other implementations the drive firmware and/or hardware 226 executing on the storage drive 204 performs the hashing.
  • usernames may be stored un-hashed, while corresponding passwords are hashed using the hashing program 244 .
  • the hashing program 244 may be unknown beyond the data storage network or the storage drive 204 , depending on where the hashing program 244 is executed.
  • the to-be-verified authentication data set 246 may also be hashed by the security client 220 or the drive firmware and/or hardware 226 using the same hashing program 244 prior to being compared to the verified authentication data set 242 to determine whether there is a match.
  • the storage drive 204 may also include a virtual volume 248 that mirrors the content of the write-and-compare-only partition 202 .
  • the security client 220 Rather than querying the drive firmware and/or hardware 226 to determine if the to-be-verified authentication data set 246 matches the verified authentication data set 242 , the security client 220 performs a write operation of the to-be-verified authentication data set 246 to the virtual volume 248 .
  • the drive firmware and/or hardware 226 determines if the to-be-verified authentication data set 246 written to the virtual volume 248 matches the verified authentication data set 242 on the write-and-compare-only partition 202 .
  • the drive firmware and/or hardware 226 returns a successful write notification to the security client 220 and the security client 220 then authorizes access corresponding to the user. If the to-be-verified authentication data set 246 written to the virtual volume 248 does not match the verified authentication data set 242 on the write-and-compare-only partition 202 , the drive firmware and/or hardware 226 returns a write error notification to the security client 220 and the security client 220 then denies access corresponding to the user.
  • FIG. 3 illustrates example operations 300 for operating a security client to execute user authentication using a write-and-compare-only partition of a data storage drive.
  • An establishing operation 305 establishes a data connection with the data storage drive within a data storage network.
  • the establishing operation 305 includes physically connecting the data storage drive to the data storage network, sending a data connection request from the data storage drive to the data storage network, and a network server granting the data connection request on behalf of the data storage network.
  • a receiving operation 310 receives a verified authentication data set corresponding to a user.
  • the verified authentication data set includes a user identification and associated password particular to the user (at least with reference to a service that the user is requesting access to) and may be used to later verify the user's identity.
  • An optional hashing operation 315 hashes the verified authentication data set so that it is not sent and stored in a readily readable state.
  • a writing operation 320 writes the verified authentication data set (hashed or un-hashed) to a write-and-compare-only partition of the data storage drive.
  • the write-and-compare-only partition prohibits the data stored therein from being read by the network server, or any other client connected to the data storage network, including both local clients and remote clients connected via the Internet.
  • This is explicitly distinct from a read-and-write partition that permits data to be read from and written thereto depending on the access level granted to the network server, or any other client connected to the data storage network.
  • This is also explicitly distinct from the read-only partition that permits data to be read from, but not written thereto, also depending on the access level granted to the network server, or any other client connected to the data storage network.
  • a receiving operation 325 receives a to-be-verified authentication data set from a user requesting access to a web service or data store.
  • a hashing operation 327 hashes the to-be-verified authentication data set so that it may match the hashed verified authentication data set. In some implementations, the hashing operations 315 , 327 are omitted.
  • Querying operation 330 queries the write-and-compare-only partition for a match between the verified authentication data set and the to-be-verified authentication data set.
  • the querying operation 330 may also be referred to as a comparison command and includes several parameters, such as: a specific location on the data storage drive to check (which may include an offset (e.g., byte, sector, entry number, etc.) within a specific sector within the data storage drive), the number of bytes at that specific location to check (which may be implicit based on the to-be-verified authentication data set value), and the to-be-verified authentication data set itself.
  • the verified authentication data set (e.g., the user's username and password) is not read from the write-and-compare-only partition and sent outside of the storage drive to perform the querying operation 330 . Only a match confirmation or a match error (as appropriate) is returned from the storage drive to the security client.
  • individual portions of the verified authentication data are separated, where a key portion of the key value (e.g., the username) is stored in a read-and-write partition and a value portion (e.g., the password) is stored in the write-and-compare-only partition.
  • a location for the key value stored in the write-and-compare-only partition is also stored with the key portion in the traditional memory.
  • Decision operation 335 determines if the verified authentication data set matches the to-be-verified authentication data set.
  • the decision operation 335 may be performed by the storage drive firmware and/or hardware so that the verified authentication data set is not read from the storage drive. If the decision operation 335 determines that a match is present, the drive firmware returns a match confirmation to the security client, which in turn authorizes access corresponding to the user in authorizing access operation 340 . In various implementations, the verified authentication data set is capable of being re-written following a successful authorizing access operation 340 . If the decision operation 335 determines that a match is not present, the drive firmware returns a match error to the security client, which in turn denies access corresponding to the user in denying access operation 345 . In various implementations, the verified authentication data set cannot be re-written following the denying access operation 345 and without a subsequent authorizing access operation 340 .
  • the query operation 330 is performed using a write operation to a virtual volume that mirrors the write-and-compare-only partition of the data storage drive. More specifically, the drive firmware compares the to-be-verified authentication data set written to the virtual volume to the verified authentication data set in decision operation 335 . The drive firmware returns a successful write notification if the to-be-verified authentication data set written to the virtual volume matches the verified authentication data set in the write-and-compare-only partition of the data storage drive (resulting in the authorize access operation 340 ). The drive firmware returns a write error notification if the to-be-verified authentication data set written to the virtual volume does not match the verified authentication data set in the write-and-compare-only partition of the data storage drive (resulting in the deny access operation 345 ).
  • the query operation 330 is performed using an atomic test-and-set command. More specifically, the drive firmware checks if a to-be-verified authentication data set matches a verified authentication data set. In one implementation, a test-data field of the to-be-verified authentication data set is compared against a test-data field of the verified authentication data set. If a match is present, a match success confirmation is returned to the security client (resulting in the authorize access operation 340 ).
  • the verified authentication data set (or a set-data-field thereof) is replaced with the to-be-verified authentication data set (or a set-data-field thereof, which may be the same value) and a successful write confirmation is returned to the security client (also resulting in the authorize access operation 340 ).
  • the verified authentication data set is not replaced with the to-be-verified authentication data set (which is the same value) as the write command is ignored, but a successful match confirmation (e.g., of the test-data fields) is returned to the security client (also resulting in the authorize access operation 340 ). If the to-be-verified authentication data set does not match the verified authentication data set, a write error notification is returned to the security client (resulting in the deny access operation 345 ).
  • the query operation 330 is used to determine whether grant access to a user (as shown in FIG. 3 and described in detail above).
  • the decision operation 335 that determines whether a match is present is an end in and of itself.
  • the write-and-compare-only partition could be used to validate a user using sensitive user information (e.g., social security numbers), but without granting any particular access. Similar confirmation/validations could be performed with a digital signature that was received from a 3rd party.
  • the security client could also maintain a data set of sensitive user identification information without having that information available for copying but use the write-and-compare-only partition to validate whether a given user identification was in the data set.
  • the operations 300 may iteratively repeat to authorize access for additional users, or the same user if access is initially denied and the user re-attempts user authentication.
  • FIG. 4 illustrates an example system diagram of a computer system 400 (e.g., a network server) suitable for implementing aspects of a security client executing user authentication using a write-and-compare-only partition 402 of a data storage drive 404 .
  • the storage drive 404 may include one or more of three data partitions, the write-and-compare-only partition 402 , a read-and-write partition 422 , and a read-only partition 424 .
  • the write-and-compare-only partition 402 permits data, particularly user authentication data, to be written to the storage drive 404 . However, once the data is written to the write-and-compare-only partition 402 , it is prohibited from being read by the computer system 400 .
  • the data stored in the write-and-compare-only partition 402 is formatted in a manner only capable of being read by drive firmware/hardware 426 .
  • Computer system 400 manages access to the storage drive 404 , which stores data on behalf of one or more web services (not shown, see e.g., web service 113 of FIG. 1 ) and one or more users (not shown, see e.g., user 114 of FIG. 1 ) and may be accessible by the web service(s) and user(s) via the Internet (not shown, see e.g., Internet 118 ). More specifically, data stored on the storage drive 404 belongs to and/or is only accessible to certain web service(s) and user(s). Further, some of the data stored in the write-and-compare-only partition 402 of the storage drive 404 includes a verified authentication data set 442 , or a hash list thereof.
  • the storage drive 404 can be organized with a file, block, or object storage format, or perhaps a combination thereof varying across different partitions.
  • the verified authentication data set 442 is generally used to authenticate a user requesting access to data on the storage drive 404 , access to a web service(s), and/or other access to data available over the Internet.
  • the drive firmware/hardware 426 may contain a hashing program 444 that executes upon request to hash the verified authentication data set 442 prior to being written in the write-and-compare-only partition 402 .
  • the hashing program 444 may also hash a to-be-verified authentication data set (not shown, see e.g., to-be-verified authentication data set 246 of FIG. 2 ) prior to being compared to the verified authentication data set 442 for user authentication.
  • the hashing program 444 is located at a network server level.
  • the storage drive 404 is connected to a data storage network via the computer system 400 , which may be a network server controlling the data storage network (not shown, see e.g., data storage network 106 of FIG. 1 ).
  • the system 400 includes a bus 401 , which interconnects major subsystems such as a processor 405 , system storage 407 (such as random-access memory (RAM) and read-only memory (ROM)), an input/output (I/O) controller 409 , removable storage (such as a memory card) 423 , a power supply 428 , and external devices such as a display screen 410 via a display adapter 412 , and various input peripherals 414 (e.g., a mouse, trackpad, keyboard, touchscreen, joystick, and/or smart card acceptance device).
  • Wireless interface 425 together with a wired network interface 427 , may be used to interface to the data storage network and/or a local or wide area network (such as the Internet) using any network interface system known to those skilled in
  • Code e.g., computer software, including mobile applications (apps) to implement the presently disclosed technology may be operably disposed in the system storage 407 , removable storage 423 , and/or the storage drive 404 .
  • code for implementing the write-and-compare-only partition 402 described in detail above may be stored in the drive firmware/hardware 426 , as shown.
  • the computing system 400 may include a variety of tangible computer-readable storage media (e.g., the system storage 407 , the removable storage 423 , and the storage drive 404 ) and intangible computer-readable communication signals.
  • Tangible computer-readable storage can be embodied by any available media that can be accessed by the computing system 400 and includes both volatile and non-volatile storage media, as well as removable and non-removable storage media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, and/or other data.
  • Tangible computer-readable storage media includes, but is not limited to, firmware, RAM, ROM, electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, optical disc storage, magnetic cassettes, magnetic tape, magnetic disc storage or other magnetic storage devices, or any other tangible medium which can be used to store the desired information and which can be accessed by the computing system 400 .
  • Intangible computer-readable communication signals may embody computer readable instructions, data structures, program modules, or other data resident in a modulated data signal, such as a carrier wave or other signal transport mechanism.
  • modulated data signal means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • intangible communication signals include signals traveling through wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), infrared (IR), and other wireless media.
  • RF radio frequency
  • IR infrared
  • Computer-readable storage media as defined herein specifically excludes intangible computer-readable communications signals.
  • Some implementations may comprise an article of manufacture which may comprise a tangible storage medium to store logic.
  • a storage medium may include one or more types of computer-readable storage media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and so forth.
  • the logic may include various software elements, such as software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, operation segments, methods, procedures, software interfaces, application program interfaces (APIs), instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof.
  • APIs application program interfaces
  • an article of manufacture may store executable computer program instructions that, when executed by a computer, cause the computer to perform methods and/or operations in accordance with the described implementations.
  • the executable computer program instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, and the like.
  • the executable computer program instructions may be implemented according to a predefined computer language, manner or syntax, for instructing a computer to perform a certain operation segment.
  • the instructions may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language.
  • the presently disclosed technology may be implemented as logical steps in one or more computer systems (e.g., as a sequence of processor-implemented steps executing in one or more computer systems and as interconnected machine or circuit modules within one or more computer systems).
  • the implementation is a matter of choice, dependent on the performance requirements of the computer system implementing the presently disclosed technology. Accordingly, the logical operations making up implementations of the presently disclosed technology are referred to variously as operations, steps, objects, or modules.
  • logical operations may be performed in any order, adding or replacing operations as desired, unless explicitly claimed otherwise or a specific order is inherently necessitated by the claim language.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Human Computer Interaction (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The presently disclosed technology is directed to combatting data theft, particularly of verified authentication data (or hashes thereof) such as login information, thumbprint data, digital signatures, identification numbers, and any other data that should be known to an accessor of stored data. The verified authentication data is initially saved for later comparison in a new type of memory, write-and-compare-only memory, where the data may be queried as to whether a to-be-verified value matches the stored verified value, but the stored and verified data is not read from the write-and-compare-only memory. This prevents a data breach by preventing the verified authentication data from being read by anyone, including those with access (whether legitimate or illegitimate) to any system connected to the write-and-compare-only memory.

Description

BACKGROUND
Data security refers generally to the protection of digital data, such as that stored within one or more databases within an organization's data storage network. In one scenario, authorized black hat users exploit their access to the organization's data storage network to copy data for improper use. In another scenario, unauthorized black hat users gain access to the organization's data storage network via various cyberattacks and also copy data from the organization's data storage network. Both authorized and unauthorized black hat users may then later analyze the copied data to obtain authentication data of other users.
One mechanism unauthorized or authorized black hat users use to gain access is theft of hashed authentication data. More specifically, if a black hat user is able to identify and copy hashed authentication data from the organization's data storage network, the black hat user may later run a variety of hash cracking techniques to recover authentication data corresponding to one or more other users. In various scenarios, the hash cracking techniques can be performed after being disconnected from the organization's data storage network and with the benefit of as much time as needed. The black hat user may then use the recovered authentication data corresponding to one or more other users to conduct identity theft of those users, often as a mechanism to obtain a financial advantage (e.g., money, credit and/or other benefits) in the name of other users.
SUMMARY
Implementations described and claimed herein address the foregoing problems by providing a method of operating an authentication service within a data storage network. The method comprises writing a verified authentication data set to a write-and-compare-only partition of a data storage drive, querying the write-and-compare-only partition for a match between the verified authentication data set and a to-be-verified authentication data set, receiving a match confirmation from the write-and-compare-only partition that the to-be-verified authentication data set matches the verified authentication data set, and authorizing access responsive to receiving the match confirmation from the write-and-compare-only partition of the data storage drive.
Implementations described and claimed herein address the foregoing problems by further providing a data storage network comprising a data storage drive storing verified authentication data set in a write-and-compare-only partition of the data storage drive and a network server. The network server queries the write-and-compare-only partition for a match between the verified authentication data set and a to-be-verified authentication data set, receives a match confirmation from the write-and-compare-only partition that the to-be-verified authentication data set matches the verified authentication data set, and authorizes access responsive to receiving the match confirmation from the write-and-compare-only volume of the data storage drive.
Other implementations are also described and recited herein.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates an example wide area network system diagram including a write-and-compare-only partition of a data storage drive.
FIG. 2 illustrates an example local area network system diagram including a write-and-compare-only partition of a data storage drive.
FIG. 3 illustrates example operations for operating a security client to execute user authentication using a write-and-compare-only partition of a data storage drive.
FIG. 4 illustrates an example system diagram of a computer system suitable for implementing aspects of a security client executing user authentication using a write-and-compare-only partition of a data storage drive.
 DETAILED DESCRIPTION
Typically, when a user provides authentication information to a security client to obtain access, the security client retrieves hashed authentication data, hashes the provided to-be-verified authentication information, and compares the hashed to-be-verified authentication information against the hashed verified authentication data to determine if the user has provided correct authentication information. If so, the security client grants access to the user. If not, the security client denies access to the user.
To combat data theft, particularly of hashed authentication data, the presently disclosed technology stores the hash lists in a write-and-compare-only volume (or partition) of a data storage drive. Instead of retrieving data from the hash list(s) to authenticate users, the security client queries the write-and-compare-only volume as to whether user-provided to-be-verified authentication information matches an un-hashed version of verified authentication information. If the to-be-verified authentication information matches the verified authentication information stored in the write-and-compare-only volume, the data storage drive sends a match confirmation to the security client, which in turn grants the user access. If the to-be-verified authentication information does not match the verified authentication information stored in the write-and-compare-only volume, the data storage drive sends a match error to the security client, which in turn denies the user access. In the presently disclosed technology, the hashed authentication data are never read from the write-and-compare-only volume of the data storage drive, and thus not able to be copied by a black hat user, even if the black hat user obtains access to the data storage drive.
In other implementations, verified authentication information is stored in an un-hashed state. The presently disclosed technology stores the authentication information in a write-and-compare-only volume (or partition) of a data storage drive. Instead of retrieving the authentication information, the security client queries the write-and-compare-only volume as to whether user-provided to-be-verified authentication information matches the verified authentication information. If the to-be-verified authentication information matches the verified authentication information stored in the write-and-compare-only volume, the data storage drive sends a match confirmation to the security client, which in turn grants the user access. If the to-be-verified authentication information does not match the verified authentication information stored in the write-and-compare-only volume, the data storage drive sends a match error to the security client, which in turn denies the user access. In the presently disclosed technology, the verified authentication information is never read from the write-and-compare-only volume of the data storage drive, and thus not able to be copied by a black hat user, even if the black hat user obtains access to the data storage drive.
Verified authentication information is used herein to mean any data that is stored in the write-and-compare-only volume and can be used for write-and-compare operations to determine a match. To-be-verified authentication information is used herein to mean any data that is used to compare to the verified authentication information to determine if a match is present, and in some implementations, and grant access if a successful match is made. In various implementations, the presently disclosed technology could be used along with drive encryption technology that would additionally protect in the scenario where a very simple password is used (e.g., password123). Such a password may be guessed by a black hat user in few attempts, but the encryption key would be required to obtain access.
FIG. 1 illustrates an example network 100 system diagram including a write-and-compare-only partition 102 of a data storage drive 104. The network 100 is illustrated as a combination of a wide area network (WAN) and a data storage local area network (LAN) 106, however, the presently disclosed technology could be implemented exclusively on a WAN or LAN.
Network server 108 manages access to a data storage enclosure 110, which includes an array of data storage drives (e.g., storage drives 104, 112, 116). The storage drives 104, 112, 116 store data of behalf of one or more web services (e.g., web service 113) and/or one or more users (e.g., user 114) and may be accessible by the web service(s) and user(s) via the Internet 118. The storage drives 104, 112, 116 individually, or an enclosure thereof containing one or more storage drive such as the storage drives 104, 112, 116 may be referred to herein as a data storage device. The presently disclosed technology may be adopted at the storage drive level, enclosure level, and/or network level, and including various combinations thereof.
Security client 120 manages access to the data storage network 106 provided to the web service(s) and user(s). More specifically, data stored on the storage drives 104, 112, 116 belongs to and/or is only accessible to certain web service(s) and user(s). Further, some of the data stored in the write-and-compare-only partition 102 of the storage drive 104 includes user authentication data, or hash lists thereof. The user authentication data is generally used to authenticate a user requesting access to data on the storage drives 104, 112, 116, access to a web service(s), and/or other access to data available over the Internet 118 but limited to certain users. While implementations of the write-and-compare-only partition 102 described in detail herein store user authentication data, one of ordinary skill in the art will recognize that other forms of data may also be stored within and authenticated using the write-and-compare-only partition 102.
In some implementations, the user authentication data includes a username or user identification paired with an alphanumeric password or passcode. In various implementations, the password or passcode may be one or more of a simple string of characters, single-use passcode, and a time-synchronized one-time passcode. In other implementations, the user authentication data may include a username paired with a digitized user-specific biometric identifier (e.g., a fingerprint, iris scan, facial scan, etc.). In other implementations, the authentication data is associated with an entity (e.g., a business entity) rather than a user. The user authentication data may be stored in a format commonly associated with a key-value store. Further, the user authentication data (e.g., that stored in a key-value format) may include an identifier indicating an intended storage location within the write-and-compare-only partition 102 of the data storage drive 104.
At least the storage drive 104 includes the write-and-compare-only partition 102 of its data storage, which is distinct from other partitions (or volumes) that may be present within the storage drive 104 (e.g., read-and-write partition 122 and read-only partition 124). The write-and-compare-only partition 102 prohibits the data stored therein from being read by the network server 108, or any other client connected to the data storage network 106, including both local clients and remote clients connected via the Internet 118. This is explicitly distinct from the read-and-write partition 122 that permits data to be read from and written thereto depending on the access level granted to the network server 108, or any other client connected to the data storage network 106. This is also explicitly distinct from the read-only partition 124 that permits data to be read from, but not written thereto, also depending on the access level granted to the network server 108, or any other client connected to the data storage network 106.
In some implementations, the data stored in the write-and-compare-only partition 102 is formatted in a manner only capable of being read by drive firmware and/or hardware 126. For example, by only permitting drive hardware to read the write-and-compare-only partition 102, even a hack of drive firmware would not permit a black hat user the ability to read the data stored in the write-and-compare-only partition 102. In other implementations, the drive firmware and/or hardware 126 is instead located at the data storage enclosure 110 level and capable of accessing write-and-compare-only partitions on any or all of storage drives 104, 112, 116. The write-and-compare-only partition 102, read-and-write partition 122, read-only partition 124 are discussed above in terms of specific partitioned areas of the storage volume of the storage drive 104 for convenience. In other implementations, the data between partitions 102, 122, 124 may be distributed throughout the storage drive 104 with a specific identifier indicating the access state (e.g., write-and-compare-only, read-and-write, or read-only) of each block or other grouping of data.
While the aforementioned partitions 102, 122, 124 are explicitly discussed as existing on storage drive 104, similar partitioning may also exist on storage drives 112, 116 and additional storage drives in the data storage enclosure 110. In one implementation, any storage drive within the data storage enclosure 110 that stores hashed authentication data may include the aforementioned partitions 102, 122, 124, particularly the partition 102 to store the hashed user authentication data.
As the hashed user authentication data is not readable (or unreadable) from the storage drive 104, network server 108 contains a hashing program that executes upon request from the security client 120, or by the security client 120 itself. In other implementations, if the user authentication data is considered secure within the write-and-compare-only partition 102, it may be stored in an un-hashed state. If the user authentication data is stored in an un-hashed state, the hashing program may not be required. In other implementations, the drive firmware and/or hardware 126 includes software in addition to or in lieu of the firmware executing on the storage drive 104.
In various implementations, the number of connected user terminals (e.g., user terminals 114, 117) and web services (e.g., web service 113) may vary from one to many, each of which may be connected to and disconnected from the Internet 118 over time. The data storage enclosure 110 is utilized as a central data storage space for the data storage network 106, the user terminals 114, 117, and/or the web service 113. In some implementations, there may be multiple data storage enclosures, each of which may be connected to and disconnected from the storage network 106 over time. In some implementations, the network server 108 may also permit data access between user terminals within the storage network 106 in a similar manner to that described below referencing user terminals 114, 117 connected to the storage network 106 via the Internet 118.
Each data storage enclosure may include one or more storage drives. Quantity (i.e., one or more) and type (e.g., hard disk drives (HDDs), solid state drives (SSDs), flash memory, main memory, hybrid drives, tape drives, etc.) of individual storage drives may vary between data storage enclosures and within individual data storage enclosures. In some implementations, the data storage network 106 is set up as a cloud storage facility for storing data corresponding to numerous users, web services, and other entities that may access the data storage network 106 via the Internet 118.
In an example scenario, user 114 creates a username and password (collectively, user authentication data) in conjunction with establishing a Microsoft® Office 365® account (i.e., web service 113). If available and approved by Office 365®, the user authentication data now assigned to user 114 is transmitted to the data storage network 106 for storage on behalf of Office 365® and the user 114. The approved user authentication data may also be referred to herein as a verified authentication data set. In a key-value scenario, the verified authentication data set includes one or both of a key portion and a value portion of the key. The verified authentication data set is received by the network server 108, which includes an indicator that the received data is user authentication data. The security client 120 executing on the network server 108 then directs the verified authentication data set to be written to the write-and-compare-only partition 102 of the storage drive 104.
In one implementation, the verified authentication data is combined and stored together in the write-and-compare-only partition 102. In another implementation, individual portions of the verified authentication data are separated, where a key portion of the key value (e.g., the username) is stored in traditional memory (or the read-and-write partition 122) and a value portion of the key value (e.g., the password) is stored in the write-and-compare-only partition 102. A location for the key value stored in the write-and-compare-only partition 102 is also stored with the key portion in the traditional memory. When a to-be-verified username/password is later presented for verification, the password stored in the write-and-compare-only partition 102 is queried using the location value stored with the username in traditional memory, for example.
When the user 114 later returns and desires access to their Office 365® account, the user 114 enters their username and password into a web browser associated with Office 365®. Office 365® then submits the received username and password to the data storage network 106 for verification. The username and password submitted for verification may also be referred to herein as a to-be-verified authentication data set. The to-be-verified authentication data set is received by the network server 108, which includes an indicator that the received data is user authentication data to-be-verified. The security client 120 executing on the network server 108 then queries the write-and-compare-only partition 102 of the storage drive 104 as to whether the to-be-verified authentication data set matches the verified authentication data set. If so, the storage drive 104 returns a match confirmation to the security client 120. The security client 120 then directs Office 365® to grant the user access to their Office 365® account.
If the to-be-verified authentication data set does not match the verified authentication data set, the storage drive 104 returns a match error to the security client 120. The security client 120 then directs Office 365® to deny the user 114 access to their Office 365® account. The user may then be prompted to retry the verification process by reentering their username and password. Notably, the user's username and password is not read from the write-and-compare-only partition 102 of the storage drive 104 to perform the aforementioned verification process and consequently, a copy of the user's username and password is not passed to or received by the network server 108. More specifically, the user's username and password may only be passed down from the Internet 118 to the data storage network 106 and ultimately the data storage enclosure 110 for storage, but not retrieved upward to the Internet 118 from the data storage enclosure 110. Only a match confirmation or a match error (as appropriate) is returned from the storage drive 104 to the security client 120.
In some implementations, only a portion (i.e., a fraction of the total length) of the to-be-verified authentication data set is used to obtain a match confirmation when compared with the verified authentication data set. This partial match may be acceptable when the security risk is relatively low, or the verified authentication data set is particularly lengthy and only a partial match is required to obtain the desired security level. In other implementations, a full match (i.e., the to-be-verified authentication data set has an equal length to the verified authentication data set) is required to generate a match confirmation. Requiring a minimum comparison size to perform user authentication prevents a black hat user from attempting to determine the user authentication data set a very small data set at a time (e.g., all the way down to one byte at a time) through a brute force attack on the data storage network 106.
In a further example scenario, user 117 is a black hat user attempting to gain access to the Office 365® account associated with the user 114. The black hat user 117 may first attempt to gain access to the data storage network 106 to copy data from the data storage enclosure 110 that may contain user authentication data. Even if the black hat user 117 is successful in gaining access to the data storage network 106, as the user authentication data is stored in the write-and-compare-only partition 102, the black hat user 117 will be unsuccessful in copying that data from the storage drive 104 as the write-and-compare-only partition 102 is unreadable by design.
The black hat user 117 may next attempt to gain access to the Office 365® account associated with the user 114. As the black hat user 117 does not have the user authentication data associated with the user 114, the black hat user 117 is limited to guessing username/password combinations and submitting them to the security client 120 for the verification process. While the black hat user 117 may repeatedly submit potential username/password combinations to the security client 120, a well-chosen username/password combination will be difficult for the black hat user 117 to guess. Additional measures may be implemented to further frustrate attempts by the black hat user 117 to gain access to the Office 365® account associated with the user 114. These additional measures may include one or more of: imposing a minimum time between queries (e.g., 1 millisecond), a maximum number of unsuccessful consecutive attempts, and requiting additional user authentication steps (e.g., security questions to confirm identity). As a result, it would take an impossible quantity of time for a sequential series of random attacks to be successful to obtain a single piece of the user authentication data. An additional potential security measure pauses attempts (for a predetermined period or until some other security criteria or administrator permission is provided) after a predetermined number of incorrect attempts have been tried. A still further potential security measure specifies that after a predetermined number of incorrect attempts, a notification could be provided to the user and/or a system administrator.
In various implementations, the verified authentication data set is hashed prior to being written to the write-and-compare-only partition 102 of the storage drive 104 (e.g., a 256-bit (32-byte) hash). In some implementations, the security client 120 performs the hashing, while potentially, in other implementations the drive firmware and/or hardware 126 executing on the storage drive 104 performs the hashing. For example, usernames may be stored un-hashed, while corresponding passwords are hashed using a hashing program executing at the security client 120 or the drive firmware and/or hardware 126. For security reasons, the hashing program may be unknown beyond the data storage network 106, the data storage enclosure 110, or the storage drive 104, depending on where within the data storage network 106 the hashing program is executed. Further, the to-be-verified authentication data set is also hashed by the security client 120 or the drive firmware and/or hardware 126 using the same hashing program prior to being compared to the verified authentication data set to determine whether there is a match.
FIG. 2 illustrates an example local area network system diagram 200 including a write-and-compare-only partition 202 of a data storage drive 204. In various implementations, data storage drive 204 is one of many data storage drives connected to network server 208 within the local area network. Upon physical connection to a corresponding data storage network (not shown, see e.g., data storage network 106 of FIG. 1 ), the data storage drive 204 requests data access to the data storage network via data connection request 228. Upon detection of the presence of the storage drive 204 and/or receipt of the data connection request 228, server software 230 establishes a data connection 232 with drive firmware and/or hardware 226. Security client 220 executes within the server software 230 running on the network server 208. In various implementations, the security client 220 and data connection 232 may be initiated concurrently or sequentially, but the security client 220 is running prior to authorizing the transfer of any data between the network server 208 and the storage drive 204. The data connection 232 may include read access, write access, and/or read/write access between the network server 208 and the storage drive 204, depending on the network configuration settings, and discussed in detail below.
The network server 208 includes network storage 240, which may serve as a buffer for data transfers to and from the storage drive 204. The storage drive 204 may include three data partitions; the write-and-compare-only partition 202, a read-and-write partition 222, and a read-only partition 224. The write-and-compare-only partition 202 permits data, particularly user authentication data, to be written to the storage drive 204. However, once the data is written to the write-and-compare-only partition 202, it is prohibited from being read by the network server 208, or any other client connected thereto. This is illustrated by data transfer arrow 234 indicating data flow exclusively from network storage 240 to the write-and-compare-only partition 202. In some implementations, a return message from the write-and-compare-only partition 202 to the network storage 240 indicates that the data was successfully written to the write-and-compare-only partition 202.
The read-and-write partition 222 permits data to be read from and written to the storage drive 204 depending on the access level granted to the network server 208, or any other client connected thereto. This is illustrated by data transfer arrow 236 indicating bidirectional data flow between the network storage 240 and the read-and-write partition 222. The read-only partition 224 permits data to be read from, but not written to the storage drive 204, also depending on the access level granted to the network server 208, or any other client connected thereto. This is illustrated by data transfer arrow 238 indicating data flow exclusively from the read-only partition 224 to the network storage 240.
In some implementations, the data stored in the write-and-compare-only partition 202 is formatted in a manner only capable of being read by the drive firmware and/or hardware 226 and cannot be transferred out of the storage drive 204. The write-and-compare-only partition 202, read-and-write partition 222, read-only partition 224 are discussed above in terms of specific partitioned areas of the storage volume of the storage drive 204 for convenience. In other implementations, the data between partitions 202, 222, 224 may be distributed throughout the storage drive 204 with a specific identifier indicating the access state (e.g., write-and-compare-only, read-and-write, or read-only) of each block or other grouping of data.
The drive firmware and/or hardware 226 may be embedded within a secured portion of the storage drive 204 (e.g., the read-only partition 224) with limited communication and read/write access as compared to other partitions of the storage drive 204 (e.g., the read-and-write partition 222). The drive firmware and/or hardware 226 may also be embedded on a separate storage medium within the storage drive 204 meant specifically for the drive firmware and/or hardware 226 and having limited communication and read/write access (e.g., on an application-specific integrated circuit (ASIC)). In some implementations, the drive firmware is not readable and is located in a write-only section of the storage drive 204 that would only be overwritten using a firmware update mechanism that would have to pass internal checking before overwriting the firmware.
Network server 208 manages access to the storage drive 204, which stores data on behalf of one or more web services (not shown, see e.g., web service 113 of FIG. 1 ) and one or more users (not shown, see e.g., user 114 of FIG. 1 ) and may be accessible by the web service(s) and user(s) via the Internet (not shown, see e.g., Internet 118). More specifically, data stored on the storage drive 204 belongs to and/or is only accessible to certain web service(s) and user(s). Further, some of the data stored in the write-and-compare-only partition 202 of the storage drive 204 includes a verified authentication data set 242, or a hash list thereof. The verified authentication data set 242 is generally used to authenticate a user requesting access to data on the storage drive 204, access to a web service(s), and/or other access to data available over the Internet but limited to specific users.
As the verified authentication data set 242 is not readable (or unreadable) beyond the storage drive 204, the network server 208 contains a hashing program 244 that executes upon request from the security client 220 to hash the verified authentication data set 242 prior to being written in the write-and-compare-only partition 202. The hashing program 244 may also hash a to-be-verified authentication data set 246 prior to being compared to the verified authentication data set 242 for user authentication. In other implementations, if user authentication data is considered secure within the write-and-compare-only partition 202, it may be stored as the verified authentication data set 242 in an un-hashed state. If the verified authentication data set 246 is stored in an un-hashed state, the hashing program 244 may not be required. In other implementations, the drive firmware and/or hardware 226 includes software executing on the storage drive 204.
In an example scenario, a user (not shown, see e.g., user 114) creates a username and password (collectively, user authentication data) in conjunction with establishing a Microsoft® Office 365® account. If available and approved by Office 365®, the user authentication data now assigned to the user is transmitted to the network server 208 for storage on behalf of Office 365® and the user. The approved user authentication data may also be referred to herein as the verified authentication data set 242. The verified authentication data set 242 is received by the network server 208, which includes an indicator that the received data is user authentication data. In other implementations, the network server 208 requests the authentication data (e.g., a username and a password), thus the network server 208 is already aware that the received data is user authentication data without a further indicator. The security client 220 executing on the network server 208 then directs the verified authentication data set 242 to be written to the write-and-compare-only partition 202 of the storage drive 204 via the drive firmware and/or hardware 226.
When the user later returns and desires access to their Office 365® account, the user enters their username and password into a web browser associated with Office 365®. Office 365® then submits the received username and password to the network server 208 for verification. The username and password submitted for verification may also be referred to herein as the to-be-verified authentication data set 246. The to-be-verified authentication data set 246 is received by the network server 208, which may include an indicator that the received data is user authentication data to-be-verified. The security client 220 executing on the network server 208 then directs the drive firmware and/or hardware 226 to query the write-and-compare-only partition 202 of the storage drive 204 as to whether the to-be-verified authentication data set 246 matches the verified authentication data set 242. If so, the drive firmware and/or hardware 226 returns a match confirmation to the security client 220. The security client 220 then directs Office 365® to grant the user access to their Office 365® account.
If the to-be-verified authentication data set 246 does not match the verified authentication data set 242, the drive firmware and/or hardware 226 returns a match error to the security client 220. The security client 220 then directs Office 365® to deny the user access to their Office 365® account. The user may then be prompted to retry the verification process by reentering their username and password. Notably, the user's username and password is not read from the write-and-compare-only partition 202 and sent outside of the storage drive 204 to perform the aforementioned verification process. Only a match confirmation or a match error (as appropriate) is returned from the storage drive 204 to the security client 220.
In a further example scenario, a black hat user (see e.g., user 117) is attempting to gain access to the Office 365® account associated with the user. The black hat user may first attempt to gain access to the storage drive 204 to copy data that may contain user authentication data. Even if the black hat user is successful in gaining access to the storage drive 204, as the user authentication data is stored in the write-and-compare-only partition 202, the black hat user will be unsuccessful in copying that data from the storage drive 204.
The black hat user may next attempt to gain access to the Office 365® account associated with the user. As the black hat user does not have the authentication data associated with the user, the black hat user is limited to guessing username/password combinations and submitting them to the security client 220 for the verification process. While the black hat user may repeatedly submit potential username/password combinations to the security client 220, a well-chosen username/password combination will be difficult for the black hat user to guess. Further, additional measures may be implemented to further frustrate attempts by the black hat user to gain access to the Office 365® account associated with the user, as described above.
In various implementations, the verified authentication data set 242 is hashed prior to being written to the write-and-compare-only partition 202 of the storage drive 204. In some implementations, the security client 220 performs the hashing using the hashing program 244, while in other implementations the drive firmware and/or hardware 226 executing on the storage drive 204 performs the hashing. For example, usernames may be stored un-hashed, while corresponding passwords are hashed using the hashing program 244. For security reasons, the hashing program 244 may be unknown beyond the data storage network or the storage drive 204, depending on where the hashing program 244 is executed. Further, the to-be-verified authentication data set 246 may also be hashed by the security client 220 or the drive firmware and/or hardware 226 using the same hashing program 244 prior to being compared to the verified authentication data set 242 to determine whether there is a match.
The storage drive 204 may also include a virtual volume 248 that mirrors the content of the write-and-compare-only partition 202. Rather than querying the drive firmware and/or hardware 226 to determine if the to-be-verified authentication data set 246 matches the verified authentication data set 242, the security client 220 performs a write operation of the to-be-verified authentication data set 246 to the virtual volume 248. The drive firmware and/or hardware 226 then determines if the to-be-verified authentication data set 246 written to the virtual volume 248 matches the verified authentication data set 242 on the write-and-compare-only partition 202. If so, the drive firmware and/or hardware 226 returns a successful write notification to the security client 220 and the security client 220 then authorizes access corresponding to the user. If the to-be-verified authentication data set 246 written to the virtual volume 248 does not match the verified authentication data set 242 on the write-and-compare-only partition 202, the drive firmware and/or hardware 226 returns a write error notification to the security client 220 and the security client 220 then denies access corresponding to the user.
FIG. 3 illustrates example operations 300 for operating a security client to execute user authentication using a write-and-compare-only partition of a data storage drive. An establishing operation 305 establishes a data connection with the data storage drive within a data storage network. In various implementations, the establishing operation 305 includes physically connecting the data storage drive to the data storage network, sending a data connection request from the data storage drive to the data storage network, and a network server granting the data connection request on behalf of the data storage network.
A receiving operation 310 receives a verified authentication data set corresponding to a user. In various implementations, the verified authentication data set includes a user identification and associated password particular to the user (at least with reference to a service that the user is requesting access to) and may be used to later verify the user's identity. An optional hashing operation 315 hashes the verified authentication data set so that it is not sent and stored in a readily readable state.
A writing operation 320 writes the verified authentication data set (hashed or un-hashed) to a write-and-compare-only partition of the data storage drive. The write-and-compare-only partition prohibits the data stored therein from being read by the network server, or any other client connected to the data storage network, including both local clients and remote clients connected via the Internet. This is explicitly distinct from a read-and-write partition that permits data to be read from and written thereto depending on the access level granted to the network server, or any other client connected to the data storage network. This is also explicitly distinct from the read-only partition that permits data to be read from, but not written thereto, also depending on the access level granted to the network server, or any other client connected to the data storage network.
A receiving operation 325 receives a to-be-verified authentication data set from a user requesting access to a web service or data store. A hashing operation 327 hashes the to-be-verified authentication data set so that it may match the hashed verified authentication data set. In some implementations, the hashing operations 315, 327 are omitted.
Querying operation 330 queries the write-and-compare-only partition for a match between the verified authentication data set and the to-be-verified authentication data set. In some implementations, the querying operation 330 may also be referred to as a comparison command and includes several parameters, such as: a specific location on the data storage drive to check (which may include an offset (e.g., byte, sector, entry number, etc.) within a specific sector within the data storage drive), the number of bytes at that specific location to check (which may be implicit based on the to-be-verified authentication data set value), and the to-be-verified authentication data set itself. The verified authentication data set (e.g., the user's username and password) is not read from the write-and-compare-only partition and sent outside of the storage drive to perform the querying operation 330. Only a match confirmation or a match error (as appropriate) is returned from the storage drive to the security client.
In other implementations, individual portions of the verified authentication data are separated, where a key portion of the key value (e.g., the username) is stored in a read-and-write partition and a value portion (e.g., the password) is stored in the write-and-compare-only partition. A location for the key value stored in the write-and-compare-only partition is also stored with the key portion in the traditional memory. When a to-be-verified username/password is later presented for verification in the querying operation 330, the password stored in the write-and-compare-only partition is queried using the location value stored with the username stored in traditional memory.
Decision operation 335 determines if the verified authentication data set matches the to-be-verified authentication data set. The decision operation 335 may be performed by the storage drive firmware and/or hardware so that the verified authentication data set is not read from the storage drive. If the decision operation 335 determines that a match is present, the drive firmware returns a match confirmation to the security client, which in turn authorizes access corresponding to the user in authorizing access operation 340. In various implementations, the verified authentication data set is capable of being re-written following a successful authorizing access operation 340. If the decision operation 335 determines that a match is not present, the drive firmware returns a match error to the security client, which in turn denies access corresponding to the user in denying access operation 345. In various implementations, the verified authentication data set cannot be re-written following the denying access operation 345 and without a subsequent authorizing access operation 340.
In another implementation, the query operation 330 is performed using a write operation to a virtual volume that mirrors the write-and-compare-only partition of the data storage drive. More specifically, the drive firmware compares the to-be-verified authentication data set written to the virtual volume to the verified authentication data set in decision operation 335. The drive firmware returns a successful write notification if the to-be-verified authentication data set written to the virtual volume matches the verified authentication data set in the write-and-compare-only partition of the data storage drive (resulting in the authorize access operation 340). The drive firmware returns a write error notification if the to-be-verified authentication data set written to the virtual volume does not match the verified authentication data set in the write-and-compare-only partition of the data storage drive (resulting in the deny access operation 345).
In yet another implementation, the query operation 330 is performed using an atomic test-and-set command. More specifically, the drive firmware checks if a to-be-verified authentication data set matches a verified authentication data set. In one implementation, a test-data field of the to-be-verified authentication data set is compared against a test-data field of the verified authentication data set. If a match is present, a match success confirmation is returned to the security client (resulting in the authorize access operation 340). In some implementations, the verified authentication data set (or a set-data-field thereof) is replaced with the to-be-verified authentication data set (or a set-data-field thereof, which may be the same value) and a successful write confirmation is returned to the security client (also resulting in the authorize access operation 340). In other implementations, the verified authentication data set is not replaced with the to-be-verified authentication data set (which is the same value) as the write command is ignored, but a successful match confirmation (e.g., of the test-data fields) is returned to the security client (also resulting in the authorize access operation 340). If the to-be-verified authentication data set does not match the verified authentication data set, a write error notification is returned to the security client (resulting in the deny access operation 345).
While in some implementations, the query operation 330 is used to determine whether grant access to a user (as shown in FIG. 3 and described in detail above). In other implementations, the decision operation 335 that determines whether a match is present is an end in and of itself. For example, the write-and-compare-only partition could be used to validate a user using sensitive user information (e.g., social security numbers), but without granting any particular access. Similar confirmation/validations could be performed with a digital signature that was received from a 3rd party. The security client could also maintain a data set of sensitive user identification information without having that information available for copying but use the write-and-compare-only partition to validate whether a given user identification was in the data set.
The operations 300 may iteratively repeat to authorize access for additional users, or the same user if access is initially denied and the user re-attempts user authentication.
FIG. 4 illustrates an example system diagram of a computer system 400 (e.g., a network server) suitable for implementing aspects of a security client executing user authentication using a write-and-compare-only partition 402 of a data storage drive 404. The storage drive 404 may include one or more of three data partitions, the write-and-compare-only partition 402, a read-and-write partition 422, and a read-only partition 424. The write-and-compare-only partition 402 permits data, particularly user authentication data, to be written to the storage drive 404. However, once the data is written to the write-and-compare-only partition 402, it is prohibited from being read by the computer system 400. In some implementations, the data stored in the write-and-compare-only partition 402 is formatted in a manner only capable of being read by drive firmware/hardware 426.
Computer system 400 manages access to the storage drive 404, which stores data on behalf of one or more web services (not shown, see e.g., web service 113 of FIG. 1 ) and one or more users (not shown, see e.g., user 114 of FIG. 1 ) and may be accessible by the web service(s) and user(s) via the Internet (not shown, see e.g., Internet 118). More specifically, data stored on the storage drive 404 belongs to and/or is only accessible to certain web service(s) and user(s). Further, some of the data stored in the write-and-compare-only partition 402 of the storage drive 404 includes a verified authentication data set 442, or a hash list thereof. In various implementations, the storage drive 404 can be organized with a file, block, or object storage format, or perhaps a combination thereof varying across different partitions. The verified authentication data set 442 is generally used to authenticate a user requesting access to data on the storage drive 404, access to a web service(s), and/or other access to data available over the Internet.
As the verified authentication data set 442 is not readable (or unreadable) beyond the storage drive 404, the drive firmware/hardware 426 may contain a hashing program 444 that executes upon request to hash the verified authentication data set 442 prior to being written in the write-and-compare-only partition 402. The hashing program 444 may also hash a to-be-verified authentication data set (not shown, see e.g., to-be-verified authentication data set 246 of FIG. 2 ) prior to being compared to the verified authentication data set 442 for user authentication. In other implementations, the hashing program 444 is located at a network server level.
The storage drive 404 is connected to a data storage network via the computer system 400, which may be a network server controlling the data storage network (not shown, see e.g., data storage network 106 of FIG. 1 ). The system 400 includes a bus 401, which interconnects major subsystems such as a processor 405, system storage 407 (such as random-access memory (RAM) and read-only memory (ROM)), an input/output (I/O) controller 409, removable storage (such as a memory card) 423, a power supply 428, and external devices such as a display screen 410 via a display adapter 412, and various input peripherals 414 (e.g., a mouse, trackpad, keyboard, touchscreen, joystick, and/or smart card acceptance device). Wireless interface 425 together with a wired network interface 427, may be used to interface to the data storage network and/or a local or wide area network (such as the Internet) using any network interface system known to those skilled in the art.
Many other devices or subsystems (not shown) may be connected in a similar manner (e.g., servers, personal computers, tablet computers, smart phones, mobile devices, etc.). Also, it is not necessary for all of the components depicted in FIG. 4 to be present to practice the presently disclosed technology. Furthermore, devices and components thereof may be interconnected in different ways from that shown in FIG. 4 . Code (e.g., computer software, including mobile applications (apps) to implement the presently disclosed technology may be operably disposed in the system storage 407, removable storage 423, and/or the storage drive 404. For example, code for implementing the write-and-compare-only partition 402 described in detail above may be stored in the drive firmware/hardware 426, as shown.
The computing system 400 may include a variety of tangible computer-readable storage media (e.g., the system storage 407, the removable storage 423, and the storage drive 404) and intangible computer-readable communication signals. Tangible computer-readable storage can be embodied by any available media that can be accessed by the computing system 400 and includes both volatile and non-volatile storage media, as well as removable and non-removable storage media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, and/or other data. Tangible computer-readable storage media includes, but is not limited to, firmware, RAM, ROM, electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, optical disc storage, magnetic cassettes, magnetic tape, magnetic disc storage or other magnetic storage devices, or any other tangible medium which can be used to store the desired information and which can be accessed by the computing system 400.
Intangible computer-readable communication signals may embody computer readable instructions, data structures, program modules, or other data resident in a modulated data signal, such as a carrier wave or other signal transport mechanism. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, intangible communication signals include signals traveling through wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), infrared (IR), and other wireless media. Computer-readable storage media as defined herein specifically excludes intangible computer-readable communications signals.
Some implementations may comprise an article of manufacture which may comprise a tangible storage medium to store logic. Examples of a storage medium may include one or more types of computer-readable storage media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and so forth. Examples of the logic may include various software elements, such as software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, operation segments, methods, procedures, software interfaces, application program interfaces (APIs), instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. In one implementation, for example, an article of manufacture may store executable computer program instructions that, when executed by a computer, cause the computer to perform methods and/or operations in accordance with the described implementations. The executable computer program instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, and the like. The executable computer program instructions may be implemented according to a predefined computer language, manner or syntax, for instructing a computer to perform a certain operation segment. The instructions may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language.
The presently disclosed technology may be implemented as logical steps in one or more computer systems (e.g., as a sequence of processor-implemented steps executing in one or more computer systems and as interconnected machine or circuit modules within one or more computer systems). The implementation is a matter of choice, dependent on the performance requirements of the computer system implementing the presently disclosed technology. Accordingly, the logical operations making up implementations of the presently disclosed technology are referred to variously as operations, steps, objects, or modules. Furthermore, it should be understood that logical operations may be performed in any order, adding or replacing operations as desired, unless explicitly claimed otherwise or a specific order is inherently necessitated by the claim language.
The above specification, examples, and data provide a complete description of the structure and use of exemplary implementations of the presently disclosed technology. Since many implementations of the presently disclosed technology can be made without departing from the spirit and scope of the invention, the presently disclosed technology resides in the claims hereinafter appended. Furthermore, structural features of the different implementations may be combined in yet another implementation without departing from the recited claims.

Claims (16)

What is claimed is:
1. A method of operating an authentication service within a data storage network, comprising:
writing a verified authentication data set specific to an approved user to a write-and-compare-only partition of a data storage device, the verified authentication data set being writable to the write-and-compare-only partition but unreadable to any user from the write-and-compare-only partition;
querying the write-and-compare-only partition for a match between the verified authentication data set and a to-be-verified authentication data set received from the approved user by writing the to-be-verified authentication data set to a virtual volume mirroring the write-and-compare-only partition of the data storage device; and
receiving a match confirmation from the write-and-compare-only partition that the to-be-verified authentication data set matches the verified authentication data set in the form of a successful write notification of the to-be-verified authentication data.
2. The method of claim 1, further comprising:
authorizing the approved user access responsive to receiving the match confirmation from the write-and-compare-only partition of the data storage device.
3. The method of claim 1, further comprising:
querying the write-and-compare-only partition for a match between the verified authentication data set and another to-be-verified authentication data set;
receiving a match error from the write-and-compare-only partition that the to-be-verified authentication data set does not match the verified authentication data set.
4. The method of claim 3, further comprising:
denying access responsive to receiving the match error.
5. The method of claim 3, wherein repetition of the querying operation resulting in denying access is limited to a minimum time between queries.
6. The method of claim 1, wherein the query operation and receiving the match confirmation is performed using an atomic test-and-set command.
7. The method of claim 1, further comprising:
hashing the verified authentication data set prior to writing to the write-and-compare-only partition of the data storage device; and
hashing the to-be-verified authentication data set prior to querying the write-and-compare-only partition for a match between the verified authentication data set and the to-be-verified authentication data set.
8. A data storage network comprising:
a data storage device storing a verified authentication data set specific to an approved user in a write-and-compare-only partition of the data storage device, the verified authentication data set being writable to the write-and-compare-only partition but unreadable to any user from the write-and-compare-only partition; and
a network server to query the write-and-compare-only partition for a match between the verified authentication data set and a to-be-verified authentication data set received from the approved user by writing the to-be-verified authentication data set to a virtual volume mirroring the write-and-compare-only partition of the data storage device, the network server further to receive a match confirmation from the write-and-compare-only partition that the to-be-verified authentication data set matches the verified authentication data set in the form of a successful write notification of the to-be-verified authentication data.
9. The data storage network of claim 8, the network server further to authorize the approved user access responsive to receiving the match confirmation from the write-and-compare-only partition of the data storage device.
10. The data storage network of claim 9, the network server further to hash the verified authentication data set prior to writing to the write-and-compare-only partition of the data storage device, the network server further to hash the to-be-verified authentication data set prior to querying the write-and-compare-only partition for a match between the verified authentication data set and the to-be-verified authentication data set.
11. The data storage network of claim 8, the network server further to query the write-and-compare-only partition for a match between the verified authentication data set and another to-be-verified authentication data set, the network server further to receive a match error from the write-and-compare-only partition that the to-be-verified authentication data set does not match the verified authentication data set.
12. The data storage network of claim 11, the network server further to deny access responsive to receiving the match error.
13. The data storage network of claim 12, wherein repetition of the query operation resulting in denying access is limited to a minimum time between queries.
14. The data storage network of claim 8, wherein the query operation and receiving the match confirmation is performed using an atomic test-and-set command.
15. One or more computer-readable storage media encoding computer-executable instructions for executing on a computer system an authentication service within a data storage network, the authentication service comprising:
writing a verified authentication data set specific to an approved user to a write-and-compare-only partition of a data storage device, the verified authentication data set being writable to the write-and-compare-only partition but unreadable to any user from the write-and-compare-only partition;
querying the write-and-compare-only partition for a match between the verified authentication data set and a to-be-verified authentication data set received from the approved user by writing the to-be-verified authentication data set to a virtual volume mirroring the write-and-compare-only partition of the data storage device;
receiving a match confirmation from the write-and-compare-only partition that the to-be-verified authentication data set matches the verified authentication data set in the form of a successful write notification of the to-be-verified authentication data; and
authorizing the approved user access responsive to receiving the match confirmation from the write-and-compare-only partition of the data storage device.
16. The computer-readable storage media of claim 15, the authentication service further comprising:
querying the write-and-compare-only partition for a match between the verified authentication data set and another to-be-verified authentication data set;
receiving a match error from the write-and-compare-only partition that the to-be-verified authentication data set does not match the verified authentication data set; and
denying access responsive to receiving the match error.
US16/777,722 2020-01-30 2020-01-30 Write and compare only data storage Active 2040-11-23 US11782610B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/777,722 US11782610B2 (en) 2020-01-30 2020-01-30 Write and compare only data storage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US16/777,722 US11782610B2 (en) 2020-01-30 2020-01-30 Write and compare only data storage

Publications (2)

Publication Number Publication Date
US20210240363A1 US20210240363A1 (en) 2021-08-05
US11782610B2 true US11782610B2 (en) 2023-10-10

Family

ID=77063137

Family Applications (1)

Application Number Title Priority Date Filing Date
US16/777,722 Active 2040-11-23 US11782610B2 (en) 2020-01-30 2020-01-30 Write and compare only data storage

Country Status (1)

Country Link
US (1) US11782610B2 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11438171B2 (en) * 2020-03-05 2022-09-06 Micron Technology, Inc. Virtualized authentication device
JP2021175149A (en) * 2020-04-30 2021-11-01 キヤノン株式会社 Electronic apparatus, method for controlling electronic apparatus, and program

Citations (90)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5048085A (en) * 1989-10-06 1991-09-10 International Business Machines Corporation Transaction system security method and apparatus
US6237008B1 (en) * 1998-07-20 2001-05-22 International Business Machines Corporation System and method for enabling pair-pair remote copy storage volumes to mirror data in another storage volume
US20020107862A1 (en) * 2001-02-02 2002-08-08 Moore Christopher S. Memory device and method for reading data stored in a portion of a memory device unreadable by a file system of a host device
US6654851B1 (en) * 2000-03-14 2003-11-25 International Business Machine Corporation System, apparatus, and method for using a disk drive for sequential data access
US6711660B1 (en) * 2001-06-22 2004-03-23 Western Digital Ventures, Inc. System and method for performing disk drive diagnostics and restoration using a host-inaccessible hidden partition
US6731536B1 (en) * 2001-03-05 2004-05-04 Advanced Micro Devices, Inc. Password and dynamic protection of flash memory data
US20050005033A1 (en) * 2003-04-30 2005-01-06 Stonefly Networks, Inc. Apparatus and method for packet based storage virtualization
US20050010767A1 (en) * 2003-06-19 2005-01-13 International Business Machines Corporation System and method for authenticating software using hidden intermediate keys
US20050038969A1 (en) * 2003-08-11 2005-02-17 Karl Schrodinger Control apparatus and method for controlling access to a memory in an integrated circuit for an electronic module
US20050114896A1 (en) * 2003-11-21 2005-05-26 Hug Joshua D. Digital rights management for content rendering on playback devices
US6907507B1 (en) * 2002-12-19 2005-06-14 Veritas Operating Corporation Tracking in-progress writes through use of multi-column bitmaps
US20050172144A1 (en) * 2002-05-20 2005-08-04 Tong Shao Apparatus and method for securely isolating hard disk
US20050194480A1 (en) * 2004-02-16 2005-09-08 Fuji Xerox Co., Ltd. Shredder and shredding method
US20050268054A1 (en) * 2004-05-27 2005-12-01 Werner Sam C Instant virtual copy to a primary mirroring portion of data
US7024549B1 (en) * 2001-07-31 2006-04-04 Western Digital Ventures, Inc. Disk drive having a protected partition configured to load an operating system for performing a user-selected function
US20060179343A1 (en) * 2005-02-08 2006-08-10 Hitachi, Ltd. Method and apparatus for replicating volumes between heterogenous storage systems
US7103909B1 (en) * 1999-02-25 2006-09-05 Fujitsu Limited Method of unlocking password lock of storage device, information processor, computer-readable recording medium storing unlocking program, and control device
US20070058450A1 (en) * 2005-09-09 2007-03-15 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Limited use data storing device
US7254719B1 (en) * 2002-08-08 2007-08-07 Briceno Marc A Method and system for protecting software
US20070239952A1 (en) * 2006-04-10 2007-10-11 Wen-Shyang Hwang System And Method For Remote Mirror Data Backup Over A Network
US20070266242A1 (en) * 2006-05-11 2007-11-15 Megachips Corporation Memory device
US20070271378A1 (en) * 2006-05-19 2007-11-22 Seiko Epson Corporation Storage Driver, Electronic Device, and Access Control Method
US20080031061A1 (en) * 2006-08-03 2008-02-07 Micron Technology, Inc. System and method for initiating a bad block disable process in a non-volatile memory
US20080098469A1 (en) * 2005-07-07 2008-04-24 Tomoaki Morijiri Authentication entity device, verification device and authentication request device
US20080104360A1 (en) * 2006-10-31 2008-05-01 Fujitsu Limited Storage virtualization switch and computer system
US7383381B1 (en) * 2003-02-28 2008-06-03 Sun Microsystems, Inc. Systems and methods for configuring a storage virtualization environment
US7389393B1 (en) * 2004-10-21 2008-06-17 Symantec Operating Corporation System and method for write forwarding in a storage environment employing distributed virtualization
US7430568B1 (en) * 2003-02-28 2008-09-30 Sun Microsystems, Inc. Systems and methods for providing snapshot capabilities in a storage virtualization environment
US20080244172A1 (en) * 2007-03-29 2008-10-02 Yoshiki Kano Method and apparatus for de-duplication after mirror operation
US20090044100A1 (en) * 2007-08-06 2009-02-12 Apple Inc. Staging Electronic Publications
US20090122666A1 (en) * 2005-08-05 2009-05-14 Searete Llc Limited use memory device with associated information
US20090208002A1 (en) * 2008-02-20 2009-08-20 Susann Marie Koehane Preventing replay attacks in encrypted file systems
US20090216921A1 (en) * 2006-04-06 2009-08-27 Sony Corporation Bridge, processor unit, information processing apparatus, and access control method
US20100017625A1 (en) * 2003-11-20 2010-01-21 Johnson Richard C Architecure, system, and method for operating on encrypted and/or hidden information
US20100017670A1 (en) * 2008-07-21 2010-01-21 International Business Machines Corporation Automatic Data Recovery System
US20100058004A1 (en) * 2005-05-09 2010-03-04 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Method of manufacturing a limited use data storing device
US20100071071A1 (en) * 2008-09-15 2010-03-18 Realnetworks, Inc. Secure media path system and method
US20100138687A1 (en) * 2008-11-28 2010-06-03 Fujitsu Limited Recording medium storing failure isolation processing program, failure node isolation method, and storage system
US7743031B1 (en) * 2002-09-06 2010-06-22 3Par, Inc. Time and space efficient technique for creating virtual volume copies
US20100241654A1 (en) * 2009-03-23 2010-09-23 Riverbed Technology, Inc. Virtualized data storage system optimizations
US20100323664A1 (en) * 2009-06-18 2010-12-23 Girish Sivaram Dedicated memory partitions for users of a shared mobile device
US20110019509A1 (en) * 2005-05-09 2011-01-27 Searete Llc, A Limited Liability Corporation Of State Of Delaware Limited use data storing device
US20110238915A1 (en) * 2010-03-29 2011-09-29 Fujitsu Limited Storage system
US20110258376A1 (en) * 2010-04-15 2011-10-20 Lsi Corporation Methods and apparatus for cut-through cache management for a mirrored virtual volume of a virtualized storage system
US20110315763A1 (en) * 2009-03-12 2011-12-29 Hochmuth Roland M Dynamic Remote Peripheral Binding
US8094500B2 (en) 2009-01-05 2012-01-10 Sandisk Technologies Inc. Non-volatile memory and method with write cache partitioning
US20120155836A1 (en) * 2010-12-21 2012-06-21 General Instrument Corporation System and method for transferring digital content
US20130007393A1 (en) * 2011-06-28 2013-01-03 Daisuke Taki Memory device
US20130023240A1 (en) * 2011-05-17 2013-01-24 Avish Jacob Weiner System and method for transaction security responsive to a signed authentication
US20130073840A1 (en) * 2011-09-21 2013-03-21 Pantech Co., Ltd. Apparatus and method for generating and managing an encryption key
US20130080828A1 (en) * 2011-09-23 2013-03-28 Lsi Corporation Methods and apparatus for marking writes on a write-protected failed device to avoid reading stale data in a raid storage system
US8412837B1 (en) 2004-07-08 2013-04-02 James A. Roskind Data privacy
US20130305388A1 (en) * 2012-05-10 2013-11-14 Qualcomm Incorporated Link status based content protection buffers
US20130346691A1 (en) * 2012-06-26 2013-12-26 Chien-Liang Wu Method of Securing data in Storage Device and Storage Device thereof
US20140052942A1 (en) * 2012-08-15 2014-02-20 Fujitsu Limited Method for controlling storages and storage control apparatus
US8762635B1 (en) * 2005-03-31 2014-06-24 Google Inc. Method and apparatus for selecting and storing data on a hard disk drive
US20140195480A1 (en) * 2010-12-13 2014-07-10 Fusion-Io, Inc. Persistent memory management
US20140208155A1 (en) * 2013-01-24 2014-07-24 Hewlett-Packard Development Company, L.P. Rebuilding drive data
US20140325263A1 (en) * 2013-04-30 2014-10-30 Fujitsu Limited Storage system, control apparatus, computer product, and control method
US8941469B1 (en) * 2010-06-14 2015-01-27 Impinj, Inc. RFID tag authentication with public-key cryptography
US20150193634A1 (en) * 2014-01-03 2015-07-09 Samsung Electronics Co., Ltd. Image processing apparatus and control method thereof
US9098718B2 (en) 2008-01-07 2015-08-04 Security First Corp. Systems and methods for securing data using multi-factor or keyed dispersal
US20150347769A1 (en) * 2014-05-30 2015-12-03 Apple Inc. Permission request
US9235474B1 (en) * 2011-02-17 2016-01-12 Axcient, Inc. Systems and methods for maintaining a virtual failover volume of a target computing system
US20160261412A1 (en) * 2015-03-04 2016-09-08 Avaya Inc. Two-Step Authentication And Activation of Quad Small Form Factor Pluggable (QFSP+) Transceivers
US20160371496A1 (en) * 2015-06-16 2016-12-22 Microsoft Technology Licensing, Llc Protected regions
US20170075631A1 (en) * 2015-09-14 2017-03-16 Fujitsu Limited Storage system, storage control device, and access control method
US20170111388A1 (en) * 2015-10-20 2017-04-20 Mcafee, Inc. Centralized and Automated Recovery
US20170185482A1 (en) * 2015-12-29 2017-06-29 Cnex Labs, Inc. Computing system with circular-shift recovery mechanism and method of operation thereof
US20170277451A1 (en) * 2016-03-22 2017-09-28 Kabushiki Kaisha Toshiba Method to limit impact of partial media failure of disk drive and detect/report the loss of data for objects due to partial failure of media
US20180024762A1 (en) * 2016-07-22 2018-01-25 International Business Machines Corporation Data access management in distributed computer storage environments
US20180054432A1 (en) * 2016-08-19 2018-02-22 Microsoft Technology Licensing, Llc Protection feature for data stored at storage service
US9910739B1 (en) * 2011-03-31 2018-03-06 EMC IP Holding Company LLC Inverse star replication
US20180129520A1 (en) * 2016-11-07 2018-05-10 Beijing Baidu Netcom Science And Technology Co., Ltd. Method and apparatus for starting virtual machine
US20180232249A1 (en) * 2017-02-15 2018-08-16 International Business Machines Corporation Virtual machine migration between software defined storage systems
US10074391B1 (en) * 2017-03-08 2018-09-11 Kabushiki Kaisha Toshiba Spiral-based self-servo-write on single disk surface
US20180260273A1 (en) * 2017-03-09 2018-09-13 Hewlett Packard Enterprise Development Lp Detection of error patterns in memory dies
US10083093B1 (en) * 2011-03-31 2018-09-25 EMC IP Holding Company LLC Consistent replication in a geographically disperse active environment
US10121033B1 (en) * 2011-11-30 2018-11-06 Impinj, Inc. Enhanced RFID tag authentication
US20190034620A1 (en) * 2017-07-31 2019-01-31 Dell Products, L.P. System shipment lock
US20190138405A1 (en) * 2017-09-29 2019-05-09 Huawei Technologies Co., Ltd. Data Loading Method and Apparatus
US20190286805A1 (en) * 2018-03-13 2019-09-19 Ethernom, Inc. Secure tamper resistant smart card
US20190342284A1 (en) * 2018-05-07 2019-11-07 Vmware, Inc. Secure gateway onboarding via mobile devices for internet of things device management
US20200073828A1 (en) * 2018-09-04 2020-03-05 Via Technologies, Inc. Security system and method of stored data
US20200233967A1 (en) * 2019-01-23 2020-07-23 Micron Technology, Inc. Memory devices with cryptographic components
US20200257470A1 (en) * 2019-02-12 2020-08-13 International Business Machines Corporation Storage device with mandatory atomic-only access
US20200313899A1 (en) * 2019-03-25 2020-10-01 Micron Technology, Inc. Using memory as a block in a block chain
US20200311314A1 (en) * 2019-03-25 2020-10-01 Micron Technology, Inc. Data attestation in memory
US20210089684A1 (en) * 2019-09-20 2021-03-25 Alibaba Group Holding Limited Controlled access to data stored in a secure partition
US20210103528A1 (en) * 2019-10-03 2021-04-08 Microsoft Technology Licensing, Llc Protection of data in memory of an integrated circuit using a secret token

Patent Citations (90)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5048085A (en) * 1989-10-06 1991-09-10 International Business Machines Corporation Transaction system security method and apparatus
US6237008B1 (en) * 1998-07-20 2001-05-22 International Business Machines Corporation System and method for enabling pair-pair remote copy storage volumes to mirror data in another storage volume
US7103909B1 (en) * 1999-02-25 2006-09-05 Fujitsu Limited Method of unlocking password lock of storage device, information processor, computer-readable recording medium storing unlocking program, and control device
US6654851B1 (en) * 2000-03-14 2003-11-25 International Business Machine Corporation System, apparatus, and method for using a disk drive for sequential data access
US20020107862A1 (en) * 2001-02-02 2002-08-08 Moore Christopher S. Memory device and method for reading data stored in a portion of a memory device unreadable by a file system of a host device
US6731536B1 (en) * 2001-03-05 2004-05-04 Advanced Micro Devices, Inc. Password and dynamic protection of flash memory data
US6711660B1 (en) * 2001-06-22 2004-03-23 Western Digital Ventures, Inc. System and method for performing disk drive diagnostics and restoration using a host-inaccessible hidden partition
US7024549B1 (en) * 2001-07-31 2006-04-04 Western Digital Ventures, Inc. Disk drive having a protected partition configured to load an operating system for performing a user-selected function
US20050172144A1 (en) * 2002-05-20 2005-08-04 Tong Shao Apparatus and method for securely isolating hard disk
US7254719B1 (en) * 2002-08-08 2007-08-07 Briceno Marc A Method and system for protecting software
US7743031B1 (en) * 2002-09-06 2010-06-22 3Par, Inc. Time and space efficient technique for creating virtual volume copies
US6907507B1 (en) * 2002-12-19 2005-06-14 Veritas Operating Corporation Tracking in-progress writes through use of multi-column bitmaps
US7430568B1 (en) * 2003-02-28 2008-09-30 Sun Microsystems, Inc. Systems and methods for providing snapshot capabilities in a storage virtualization environment
US7383381B1 (en) * 2003-02-28 2008-06-03 Sun Microsystems, Inc. Systems and methods for configuring a storage virtualization environment
US20050005033A1 (en) * 2003-04-30 2005-01-06 Stonefly Networks, Inc. Apparatus and method for packet based storage virtualization
US20050010767A1 (en) * 2003-06-19 2005-01-13 International Business Machines Corporation System and method for authenticating software using hidden intermediate keys
US20050038969A1 (en) * 2003-08-11 2005-02-17 Karl Schrodinger Control apparatus and method for controlling access to a memory in an integrated circuit for an electronic module
US20100017625A1 (en) * 2003-11-20 2010-01-21 Johnson Richard C Architecure, system, and method for operating on encrypted and/or hidden information
US20050114896A1 (en) * 2003-11-21 2005-05-26 Hug Joshua D. Digital rights management for content rendering on playback devices
US20050194480A1 (en) * 2004-02-16 2005-09-08 Fuji Xerox Co., Ltd. Shredder and shredding method
US20050268054A1 (en) * 2004-05-27 2005-12-01 Werner Sam C Instant virtual copy to a primary mirroring portion of data
US8412837B1 (en) 2004-07-08 2013-04-02 James A. Roskind Data privacy
US7389393B1 (en) * 2004-10-21 2008-06-17 Symantec Operating Corporation System and method for write forwarding in a storage environment employing distributed virtualization
US20060179343A1 (en) * 2005-02-08 2006-08-10 Hitachi, Ltd. Method and apparatus for replicating volumes between heterogenous storage systems
US8762635B1 (en) * 2005-03-31 2014-06-24 Google Inc. Method and apparatus for selecting and storing data on a hard disk drive
US20100058004A1 (en) * 2005-05-09 2010-03-04 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Method of manufacturing a limited use data storing device
US20110019509A1 (en) * 2005-05-09 2011-01-27 Searete Llc, A Limited Liability Corporation Of State Of Delaware Limited use data storing device
US20080098469A1 (en) * 2005-07-07 2008-04-24 Tomoaki Morijiri Authentication entity device, verification device and authentication request device
US20090122666A1 (en) * 2005-08-05 2009-05-14 Searete Llc Limited use memory device with associated information
US20070058450A1 (en) * 2005-09-09 2007-03-15 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Limited use data storing device
US20090216921A1 (en) * 2006-04-06 2009-08-27 Sony Corporation Bridge, processor unit, information processing apparatus, and access control method
US20070239952A1 (en) * 2006-04-10 2007-10-11 Wen-Shyang Hwang System And Method For Remote Mirror Data Backup Over A Network
US20070266242A1 (en) * 2006-05-11 2007-11-15 Megachips Corporation Memory device
US20070271378A1 (en) * 2006-05-19 2007-11-22 Seiko Epson Corporation Storage Driver, Electronic Device, and Access Control Method
US20080031061A1 (en) * 2006-08-03 2008-02-07 Micron Technology, Inc. System and method for initiating a bad block disable process in a non-volatile memory
US20080104360A1 (en) * 2006-10-31 2008-05-01 Fujitsu Limited Storage virtualization switch and computer system
US20080244172A1 (en) * 2007-03-29 2008-10-02 Yoshiki Kano Method and apparatus for de-duplication after mirror operation
US20090044100A1 (en) * 2007-08-06 2009-02-12 Apple Inc. Staging Electronic Publications
US9098718B2 (en) 2008-01-07 2015-08-04 Security First Corp. Systems and methods for securing data using multi-factor or keyed dispersal
US20090208002A1 (en) * 2008-02-20 2009-08-20 Susann Marie Koehane Preventing replay attacks in encrypted file systems
US20100017670A1 (en) * 2008-07-21 2010-01-21 International Business Machines Corporation Automatic Data Recovery System
US20100071071A1 (en) * 2008-09-15 2010-03-18 Realnetworks, Inc. Secure media path system and method
US20100138687A1 (en) * 2008-11-28 2010-06-03 Fujitsu Limited Recording medium storing failure isolation processing program, failure node isolation method, and storage system
US8094500B2 (en) 2009-01-05 2012-01-10 Sandisk Technologies Inc. Non-volatile memory and method with write cache partitioning
US20110315763A1 (en) * 2009-03-12 2011-12-29 Hochmuth Roland M Dynamic Remote Peripheral Binding
US20100241654A1 (en) * 2009-03-23 2010-09-23 Riverbed Technology, Inc. Virtualized data storage system optimizations
US20100323664A1 (en) * 2009-06-18 2010-12-23 Girish Sivaram Dedicated memory partitions for users of a shared mobile device
US20110238915A1 (en) * 2010-03-29 2011-09-29 Fujitsu Limited Storage system
US20110258376A1 (en) * 2010-04-15 2011-10-20 Lsi Corporation Methods and apparatus for cut-through cache management for a mirrored virtual volume of a virtualized storage system
US8941469B1 (en) * 2010-06-14 2015-01-27 Impinj, Inc. RFID tag authentication with public-key cryptography
US20140195480A1 (en) * 2010-12-13 2014-07-10 Fusion-Io, Inc. Persistent memory management
US20120155836A1 (en) * 2010-12-21 2012-06-21 General Instrument Corporation System and method for transferring digital content
US9235474B1 (en) * 2011-02-17 2016-01-12 Axcient, Inc. Systems and methods for maintaining a virtual failover volume of a target computing system
US9910739B1 (en) * 2011-03-31 2018-03-06 EMC IP Holding Company LLC Inverse star replication
US10083093B1 (en) * 2011-03-31 2018-09-25 EMC IP Holding Company LLC Consistent replication in a geographically disperse active environment
US20130023240A1 (en) * 2011-05-17 2013-01-24 Avish Jacob Weiner System and method for transaction security responsive to a signed authentication
US20130007393A1 (en) * 2011-06-28 2013-01-03 Daisuke Taki Memory device
US20130073840A1 (en) * 2011-09-21 2013-03-21 Pantech Co., Ltd. Apparatus and method for generating and managing an encryption key
US20130080828A1 (en) * 2011-09-23 2013-03-28 Lsi Corporation Methods and apparatus for marking writes on a write-protected failed device to avoid reading stale data in a raid storage system
US10121033B1 (en) * 2011-11-30 2018-11-06 Impinj, Inc. Enhanced RFID tag authentication
US20130305388A1 (en) * 2012-05-10 2013-11-14 Qualcomm Incorporated Link status based content protection buffers
US20130346691A1 (en) * 2012-06-26 2013-12-26 Chien-Liang Wu Method of Securing data in Storage Device and Storage Device thereof
US20140052942A1 (en) * 2012-08-15 2014-02-20 Fujitsu Limited Method for controlling storages and storage control apparatus
US20140208155A1 (en) * 2013-01-24 2014-07-24 Hewlett-Packard Development Company, L.P. Rebuilding drive data
US20140325263A1 (en) * 2013-04-30 2014-10-30 Fujitsu Limited Storage system, control apparatus, computer product, and control method
US20150193634A1 (en) * 2014-01-03 2015-07-09 Samsung Electronics Co., Ltd. Image processing apparatus and control method thereof
US20150347769A1 (en) * 2014-05-30 2015-12-03 Apple Inc. Permission request
US20160261412A1 (en) * 2015-03-04 2016-09-08 Avaya Inc. Two-Step Authentication And Activation of Quad Small Form Factor Pluggable (QFSP+) Transceivers
US20160371496A1 (en) * 2015-06-16 2016-12-22 Microsoft Technology Licensing, Llc Protected regions
US20170075631A1 (en) * 2015-09-14 2017-03-16 Fujitsu Limited Storage system, storage control device, and access control method
US20170111388A1 (en) * 2015-10-20 2017-04-20 Mcafee, Inc. Centralized and Automated Recovery
US20170185482A1 (en) * 2015-12-29 2017-06-29 Cnex Labs, Inc. Computing system with circular-shift recovery mechanism and method of operation thereof
US20170277451A1 (en) * 2016-03-22 2017-09-28 Kabushiki Kaisha Toshiba Method to limit impact of partial media failure of disk drive and detect/report the loss of data for objects due to partial failure of media
US20180024762A1 (en) * 2016-07-22 2018-01-25 International Business Machines Corporation Data access management in distributed computer storage environments
US20180054432A1 (en) * 2016-08-19 2018-02-22 Microsoft Technology Licensing, Llc Protection feature for data stored at storage service
US20180129520A1 (en) * 2016-11-07 2018-05-10 Beijing Baidu Netcom Science And Technology Co., Ltd. Method and apparatus for starting virtual machine
US20180232249A1 (en) * 2017-02-15 2018-08-16 International Business Machines Corporation Virtual machine migration between software defined storage systems
US10074391B1 (en) * 2017-03-08 2018-09-11 Kabushiki Kaisha Toshiba Spiral-based self-servo-write on single disk surface
US20180260273A1 (en) * 2017-03-09 2018-09-13 Hewlett Packard Enterprise Development Lp Detection of error patterns in memory dies
US20190034620A1 (en) * 2017-07-31 2019-01-31 Dell Products, L.P. System shipment lock
US20190138405A1 (en) * 2017-09-29 2019-05-09 Huawei Technologies Co., Ltd. Data Loading Method and Apparatus
US20190286805A1 (en) * 2018-03-13 2019-09-19 Ethernom, Inc. Secure tamper resistant smart card
US20190342284A1 (en) * 2018-05-07 2019-11-07 Vmware, Inc. Secure gateway onboarding via mobile devices for internet of things device management
US20200073828A1 (en) * 2018-09-04 2020-03-05 Via Technologies, Inc. Security system and method of stored data
US20200233967A1 (en) * 2019-01-23 2020-07-23 Micron Technology, Inc. Memory devices with cryptographic components
US20200257470A1 (en) * 2019-02-12 2020-08-13 International Business Machines Corporation Storage device with mandatory atomic-only access
US20200313899A1 (en) * 2019-03-25 2020-10-01 Micron Technology, Inc. Using memory as a block in a block chain
US20200311314A1 (en) * 2019-03-25 2020-10-01 Micron Technology, Inc. Data attestation in memory
US20210089684A1 (en) * 2019-09-20 2021-03-25 Alibaba Group Holding Limited Controlled access to data stored in a secure partition
US20210103528A1 (en) * 2019-10-03 2021-04-08 Microsoft Technology Licensing, Llc Protection of data in memory of an integrated circuit using a secret token

Also Published As

Publication number Publication date
US20210240363A1 (en) 2021-08-05

Similar Documents

Publication Publication Date Title
US10454922B2 (en) System and method for recognizing malicious credential guessing attacks
US9047458B2 (en) Network access protection
US8171287B2 (en) Access control system for information services based on a hardware and software signature of a requesting device
CN112513857A (en) Personalized cryptographic security access control in a trusted execution environment
US11212283B2 (en) Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications
US8590017B2 (en) Partial authentication for access to incremental data
KR20220009388A (en) Ransomware mitigation in integrated and isolated applications
US20100228987A1 (en) System and method for securing information using remote access control and data encryption
US8695085B2 (en) Self-protecting storage
US10558796B2 (en) Enforcing trusted application settings for shared code libraries
US11782610B2 (en) Write and compare only data storage
EP3704622B1 (en) Remote locking a multi-user device to a set of users
CN113826095A (en) Single click login process
US10158623B2 (en) Data theft deterrence
US20190182229A1 (en) Advanced application security utilizing an application key
US11232220B2 (en) Encryption management for storage devices
US20070263868A1 (en) Method and apparatus for securely executing a background process
CN110807186A (en) Method, device, equipment and storage medium for safe storage of storage equipment
KR102375616B1 (en) Method and system for managing key to authenticate end user
US11477189B2 (en) Primary domain and secondary domain authentication
US20220066659A1 (en) Data protection method and electronic device implementing data protection method
US20220138290A1 (en) Method and system for a secure transaction
CN113312679A (en) Secure storage enhancement for authentication systems
KR20060040155A (en) System and method for securing data based on fingerprint authentication
CN111666560A (en) Password management method and system based on trusted execution environment

Legal Events

Date Code Title Description
AS Assignment

Owner name: SEAGATE TECHNOLOGY LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:TUMBLIN, CHRISTOPHER B.;LACY, JESS;BARRELL, MICHAEL;SIGNING DATES FROM 20200128 TO 20200129;REEL/FRAME:051678/0018

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE